U.S. critical infrastructure entities will soon be required to report significant cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), under the omnibus spending bill signed into law by President Joe Biden on Tuesday.

Congress passed HR 2471, the Consolidated Appropriations Act 2022, last week. Division Y of the bill is the Cyber Incident Reporting for Critical Infrastructure Act of 2022. A similar law was proposed in the House of Representatives last year but failed to make it past committee.

The new bill requires covered entities — those “in a critical infrastructure sector, as defined in Presidential Policy Directive 21” and further defined through rulemaking by CISA’s director — to report relevant cyber incidents to CISA within 72 hours after the entity “reasonably believes that the covered cyber incident has occurred.” Authority for defining which incidents are subject to reporting is delegated to the CISA director.

Entities are also required to report to CISA when they have made a ransom payment to the perpetrators of a ransomware attack. The report must be made within 24 hours after the payment takes place. This requirement applies even if the ransomware attack is not otherwise subject to the reporting mandate found elsewhere in the law.

If the entity does have to report the ransomware attack, it may submit a single report for both the attack and the ransom payment. In addition, entities already required to report cyber incidents to another federal agency will not be required to do so to CISA as well, provided the agency has agreed to share such reports with CISA and they meet the requirements set by the director.

Entities will have to supplement their reports if “substantial new or different information” comes to light, and they will also be required to preserve any data that bears on their disclosures.

CISA is to issue a notice of proposed rulemaking regarding the matters left to the director’s discretion within the next two years, with a final rule to follow within 18 months after the NOPR. The final rule will also specify what content entities must include in their cyber incident and ransom payment reports, as well as the data preservation requirements.

Once the rule is in place, CISA must provide monthly briefings to congressional leadership on the national cyber threat landscape based on reports it has received. The agency may also share incident and ransom payment reports with other federal agencies, though the data may only be used:

• for cybersecurity purposes;
• to identify a cyber threat or security vulnerability;
• to respond to, prevent or mitigate a specific threat of death or serious bodily or economic harm;
• to respond to, investigate, prosecute, prevent or mitigate a serious threat to a minor; or
• to prevent, investigate, disrupt or prosecute an offense arising out of a reported cyber incident or ransomware attack.

CISA may also compel entities to release information on suspected cyber incidents or payments through subpoenas and civil lawsuits. Entities that do not provide information voluntarily are not eligible for provisions in the law that provide anonymity for reports.

NERC, CISA Applaud Requirements

NERC praised the new legislation in a statement to ERO Insider, calling it “an important measure to protect critical infrastructure from persistent cyber threats” and a “further enhancement” to the information-sharing operations of NERC and the Electricity Information Sharing and Analysis Center (E-ISAC). The organization said it will continue to “monitor the rulemaking process … particularly the requirements for reporting incidents to ISACs and any other provisions which further our coordination efforts with our federal government partners.”

In a statement issued after the bill’s passage last week, CISA director Jen Easterly called the legislation “a game-changer [and] a critical step forward in the collective cybersecurity of our nation.”

“CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure,” Easterly said. “This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”