top of page
  • Writer's pictureEnterra

Understanding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA): A Comprehensive Guide for Critical Infrastructure Entities

In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) marked a significant advancement in U.S. cybersecurity measures. This legislation mandates critical infrastructure entities to report cyber incidents and ransom payments, aiming to enhance the Cybersecurity and Infrastructure Security Agency's (CISA) ability to provide immediate support, identify cybersecurity trends, and disseminate preventative measures.

Key Reporting Initiatives Under CIRCIA

  1. Cyber Incident Reporting Requirements: Entities are required to report any significant cyber incidents to CISA within 72 hours of their discovery.

  2. Federal Incident Report Sharing: Federal agencies must forward any cyber incident reports to CISA within 24 hours, ensuring a timely exchange of information.

  3. Cyber Incident Reporting Council: Spearheaded by the Department of Homeland Security, this council aims to harmonize federal reporting standards and procedures.

Ransomware-Specific Initiatives

  • Ransom Payment Reporting: Entities must report ransom payments within 24 hours to CISA.

  • Vulnerability Pilot Program: CISA identifies and notifies owners of systems that are vulnerable to ransomware attacks.

  • Joint Ransomware Task Force: This task force coordinates national efforts against ransomware, in collaboration with the FBI and the National Cyber Director.

Implementing CIRCIA's Reporting Requirements with Enterra Solutions

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) presents new challenges for entities in critical infrastructure sectors, requiring them to report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of detection. To meet these stringent requirements, proactive cybersecurity measures are essential.

Enterra’s advanced cybersecurity solutions are designed to support entities in complying with CIRCIA. Our state-of-the-art incident detection systems can identify potential cyber threats in real-time, ensuring that all incidents are caught early and reported within the mandated timeframe. Once an incident is detected, Enterra’s automated reporting tools can streamline the process of notifying CISA, reducing the administrative burden and ensuring timely compliance.

Moreover, our ransomware protection services offer critical infrastructure entities robust defenses against one of the most disruptive types of cyber threats. In the event of a ransomware attack, Enterra’s systems facilitate immediate isolation of affected systems, minimizing damage and aiding in rapid recovery, while also ensuring that all ransom payments are reported to CISA within the required 24-hour window.

Through a combination of cutting-edge technology and expert consultancy, Enterra not only helps entities meet CIRCIA's rigorous standards but also strengthens their overall cybersecurity posture, making them less susceptible to attacks and ensuring a more secure future for America's critical infrastructure.

Examples of What Constitutes a 'Substantial' Cyber Incident

  • Significant DDoS Attacks: Incidents causing prolonged service disruptions.

  • System Compromises: Including encryption of critical systems, potential hazardous material releases, or major disruptions to essential services.

  • Ransomware and Unauthorized Access: Such as locking out control systems or unauthorized access through compromised software updates or credentials.

Less Critical Incidents

While the following might not qualify as substantial, they are still important for situational awareness:

  • Minor DDoS Attacks or disruptions causing brief service unavailability.

  • Contained Security Threats: Such as effectively managed malware infections or credential compromises with sufficient controls in place.

  • Unsuccessful Cyber Threats: Including blocked phishing attempts and unexploited known vulnerabilities.

Despite the criteria set for substantial incidents, CISA encourages the reporting of all types of cyber incidents. This inclusive approach helps build a comprehensive view of the cyber threat landscape and fosters proactive cybersecurity practices across all sectors.

NPRM Insights and Enhanced Reporting Details

The Notice of Proposed Rulemaking (NPRM) published in April 2024 provides further clarity and expands on the initial guidelines:

  • New Definitions and Clarity: Clear definitions for "Covered Entities" and "Substantial Cyber Incidents" ensure entities understand their reporting obligations.

  • Supplemental Reporting: Entities must submit additional reports if new information surfaces or subsequent ransom payments are made.

  • Data Preservation: Entities are required to preserve relevant data for two years post-report to ensure evidence is maintained for potential review.

  • Procedures for Reporting: A web-based platform provided by CISA facilitates reporting, with provisions for third-party reporting under specific conditions.

Enforcement and Compliance

CISA has outlined robust enforcement mechanisms for non-compliance, including subpoenas and potential federal contract debarment, highlighting the importance of strict compliance. Also, the NPRM details how collected information will be treated, emphasizing privacy, protection from disclosure, and appropriate use, underscoring CISA's commitment to safeguarding sensitive data.

For entities involved in critical infrastructure, adhering to CIRCIA is essential not only for compliance but as part of a broader initiative to protect national critical assets. Entities are encouraged to thoroughly review the proposed rules, prepare for compliance, and participate in the ongoing dialogue to refine these regulations. Your proactive engagement contributes to building a robust defense against cyber threats, ensuring a safer future.

For further details on CIRCIA or to participate in the public commentary process, visit CISA's CIRCIA page or access the NPRM directly through the Federal Register.



bottom of page