U.S. Cyber Incident Reporting for
Critical Infrastructure Act of 2022

The act applies to the critical infrastructure sector, made up of 16 sectors as broadly defined in Presidential Policy Directive 21. It’s now up to CISA to specify which of these sectors must comply with the new law based on how a cyberattack on an organization within each sector would impact:

1. National and economic security 
2. Public health and safety
3. Critical operations within the US

The act requires organizations to report a “substantial cyber incident” and all ransom payments to CISA.

The act has two sets of reporting requirements: one for substantial cyber incidents and one for ransom payments. In both cases, organizations must:

• Alert CISA through reports of any substantially new or different information until the incident is fully mitigated and resolved
• Maintain all data related to the incident based on guidance CISA will define.

Reporting Requirements for Substantial Cyber Incidents

When: Covered entities must issue a report to CISA within 72 hours of when they “reasonably believe” the incident has occurred. The act does not define “reasonably believe” nor does it require CISA to define it.

How: CISA will define any restrictions for the formatting or delivery of the report.

What: CISA will define specifics for what reports must contain. At a minimum, they will require:

• Description of what happened (what was affected, type of attack, estimated date range, and operational impact)
• Description of the vulnerabilities exploited, security defenses in place, and tactics used to gain access during the attack
• Identification of, or contact information for, those reasonably believed to be responsible
• Categories of information reasonably believed to have been subject to unauthorized access or acquisition
• Identification of the impacted entity
• Contact information for the impacted entity or an authorized agent of the entity

Reporting Requirements for Ransom Payments

When: Covered entities must issue a report to CISA within 24 hours of making the payment.

How: CISA will define any restrictions for the formatting or delivery of the report.

What: CISA will define specifics for what reports must contain. At a minimum, the act requires all of the above points of information as well as:

• The date of the ransom payment
• The ransom payment demand, including the type of currency requested
• The ransom payment instructions, including where to send the payment
• The amount of the ransom payment

Reporting Protections

The act offers several protections for organizations that issue a report, which extend to any non-covered entities that voluntarily submit a report. These protections include:

• Not using the reports in regulatory actions against the covered entity
• Exempting the reports from disclosure under the Freedom of Information Act
• Considering any reports the commercial, financial, and proprietary information of the organization
• Not granting any kind of waiver of privileges, including trade secret protections, as a result of a report
• Not using any reports or records of preparing the report as evidence in hearings or other proceedings
• Anonymizing the organization when CISA leads information-sharing initiatives

Any covered entity that experiences a substantial cyber incident or makes a ransomware payment must issue a report to CISA. This may include the following types of events:

Organizations must take a proactive stance on preparing response plans, assigning clear responsibility to team members for each part of those plans, and streamlining workflows to meet the act’s fast reporting timelines and ongoing requirements for sharing information. CISA is looking to federal guidelines like the NIST Cybersecurity Framework to develop its own guidance, including for dealing with incidents. Specifically, organizations should prepare for three critical phases of incident response:

Readiness

Proactively preparing response plans so that teams can jump into action quickly to reduce the associated costs and accelerate a return to business as usual. Key activities include:

• Reviewing the requirements outlined in regulations and contracts
• Outlining clear incident response plans to meet those requirements

Response

Taking action when an incident occurs to meet short reporting timelines and mitigate any loss of trust from customers or the market. Key activities include:

• Determining what happened (if it meets reporting criteria, how and when it happened, and potential consequences)
• Assigning and executing tasks to uphold obligations like issuing reports
• Taking action to resolve the issue where possible

Ongoing Management

Leading long term efforts to keep response plans up to date as regulations change and threats evolve. Key activities include:

• Establishing a dashboard for measuring and monitoring incident response and updates to regulations and contracts
• Maintaining stakeholder alignment and awareness on responsibilities and progress

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 will require proactive incident management to uncover attacks, diagnose what happened, and meet reporting timelines.

Organizations must track changes and definitions to regulations, outline clear response plans, assign responsibility for each step in those plans, and continue to update efforts as regulations evolve. Automation can help accelerate, coordinate, and streamline this process to ensure compliance and help return to business as usual faster.