The US Cybersecurity and Infrastructure Security Agency (CISA) is seeking input on the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which is estimated to impact as many as 316,000 entities.
President Biden signed CIRCIA into law in March 2022. CISA has since been working on its implementation, collaborating with the public and private sectors, as well as the critical infrastructure community.
The cybersecurity agency on Wednesday announced a notice of proposed rulemaking (NPRM), asking the public to submit written comments on the proposal over a period of 60 days starting on April 4.
“CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents, and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors,” said Secretary of Homeland Security Alejandro Mayorkas.
CISA estimates that the proposed rules’ costs will total $2.6 billion over a period of 11 years. The agency said roughly 316,000 entities are potentially impacted and it expects to receive more than 210,000 CIRCIA reports, or approximately 25,000 reports per year starting in 2026.
CISA recently requested $116 million for the CIRCIA program for fiscal year 2025, which it will use for staffing, processes, and technology.
CIRCIA requires covered entities to inform CISA of significant cyber incidents within 72 hours and of ransomware payments within 24 hours of the payment being made.
In addition to reporting requirements, CIRCIA has led to the creation of the Joint Ransomware Task Force (JRTF) and the Ransomware Vulnerability Warning Pilot (RVWP) Program, whose goal is to warn critical infrastructure organizations whose systems contain vulnerabilities that could be exploited by ransomware groups.
“[CIRCIA] will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats. We look forward to additional feedback from the critical infrastructure community as we move towards developing the Final Rule,” said CISA Director Jen Easterly.
Related: How to Align Your Incident Response Practices With the New SEC Disclosure Rules
Related: DHS Publishes New Recommendations on Cyber Incident Reporting
Related: White House Budget Proposal Seeks Cybersecurity Funding Boost
Related: US Lawmakers Introduce Farm and Food Cybersecurity Act