On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) Notice of Proposed Rulemaking (“Proposed Rule”) related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was released on the Federal Register website.  The Proposed Rule, which will be formally published in the Federal Register on April 4, 2024, proposes draft regulations to implement the incident reporting requirements for critical infrastructure entities from CIRCIA, which President Biden signed into law in March 2022.  CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to CISA.  While the overarching requirements and structure of the reporting process were established under the law, CIRCIA also directed CISA to issue the Proposed Rule within 24 months of the law’s enactment to provide further detail on the scope and implementation of these requirements.  Under CIRCIA, the final rule must be published by September 2025.

The Proposed Rule addresses various elements of CIRCIA, which will be covered in a forthcoming Client Alert.  This blog post focuses primarily on the proposed definitions of two pivotal terms that were left to further rulemaking under CIRCIA (Covered Entity and Covered Cyber Incident), which illustrate the broad scope of CIRCIA’s reporting requirements, as well as certain proposed exceptions to the reporting requirements.  The Proposed Rule will be subject to a review and comment period for 60 days after publication in the Federal Register. 

Covered Entities

CIRCIA broadly defined “Covered Entity” to include entities that are in one of the 16 critical infrastructure sectors established under Presidential Policy Directive 21 (“PPD-21”) and directed CISA to develop a more comprehensive definition in subsequent rulemaking.  Accordingly, the Proposed Rule (1) addresses how to determine whether an entity is “in” one of the 16 sectors and (2) proposed two additional criteria for the Covered Entity definition, either of which must be met in order for an entity to be covered.  Notably, the Proposed Rule’s definition of Covered Entity would encompass the entire corporate entity, even if only a constituent part of its business or operations meets the criteria.  Thus, Covered Cyber Incidents experienced by a Covered Entity would be reportable regardless of which part of the organization suffered the impact.  In total, CISA estimates that over 300,000 entities would be covered by the Proposed Rule.

Decision tree that demonstrates the overarching elements of the Covered Entity definition. For illustrative purposes only.

16 Critical Infrastructure Sectors.  Consistent with CIRCIA, the proposed regulatory text of the Covered Entity definition includes that entities must be “in a critical infrastructure sector,” but the text does not define this term or describe how to determine which entities are within those sectors.  However, the commentary in the Proposed Rule states that this threshold question is effectively tied to the sector descriptions in the critical infrastructure Sector-Specific Plans (“SSPs”) that were developed pursuant to PPD-21.  Thus, entities can rely on the SSPs to determine if they are “in” a sector.  Notably, the scope of the SSPs is not limited to owners and operators of critical infrastructure systems and assets.  Accordingly, the Proposed Rule indicates that reporting requirements would also apply to a “small subset” of entities covered in the SSPs that are “active participants” in a particular sector and that can impact the security of critical infrastructure.

Additional Criteria.  The Proposed Rule then outlines two additional scoping criteria for the definition of Covered Entity: (1) the size of an entity and (2) whether the entity meets certain sector-based criteria.  A critical infrastructure entity that falls within one of the 16 sectors described above need only fall within one of these categories to be a Covered Entity.  

  • Size-Based Criteria.  Under the Proposed Rule, any entity within a critical infrastructure sector that exceeds the U.S. Small Business Administration’s (“SBA”) small business size standard as specified by the applicable North American Industry Classification System (“NAICS”) code would be a Covered Entity.  These standards vary by industry and are generally based on an entity’s number of employees or annual revenue.  Under the Proposed Rule, each entity would follow the SBA’s rules for calculating size and revenue, including identifying which NAICS code must be applied to determine whether it meets the size-based criteria.  Depending on the industry, the SBA standard’s employee and revenue thresholds can vary significantly.
  • Sector-Based Criteria.  The Proposed Rule specifies that Covered Entities would also include any entity within a critical infrastructure sector that meets one or more enumerated sector-based criteria, regardless of whether it exceeds the above-referenced SBA standards.  These criteria are generally based on whether entities own or operate certain facilities or perform key functions.  High-level summaries of the sector-based criteria are provided in the table below.
SectorSector-Based Criteria
ChemicalAny entity in a critical infrastructure sector that owns or operates a covered chemical facility subject to the Chemical Facility Anti-Terrorism Standards (“CFATS”)
CommunicationsAny entity that provides communications services by wire or radio communications, as defined in 47 U.S.C. §§ 153(40), 153(59), to the public, business, or government, including both one-way communications service providers (e.g., radio, television, and satellite) and two-way communications service providers (e.g., telecommunications, wireless service, VoIP, and internet service)
Critical ManufacturingAny entity that owns or has business operations that engage in one or more of the following: (i) primary metal manufacturing; (ii) machinery manufacturing; (iii) electrical equipment, appliance, and component manufacturing; or (iv) transportation equipment manufacturing
Defense Industrial BaseAny entity that is a contractor or subcontractor required to report cyber incidents to the Department of Defense pursuant to the Defense Federal Acquisition Regulation Supplement cyber incident reporting clause, codified at 48 C.F.R. § 252.204-7012 (often referred to as the “DFARS Cyber Clause” or “DFARS 7012 Clause”)
Emergency ServicesAny entity that provides one or more of the following emergency services or functions to a population of 50,000 or more individuals: (i) law enforcement, (ii) fire and rescue, (iii) emergency medical services, (iv) emergency management, or (v) public works that contribute to public health and safety
EnergyAny entity required to report cybersecurity incidents under the North American Electric Reliability Corporation (“NERC”) Critical Infrastructure Protection (“CIP”) Reliability Standards or required to file an Electric Emergency Incident and Disturbance Report OE-417 form, or any successor form, to the Department of Energy
Financial ServicesAny entity within the Financial Services sector (i) required to report cybersecurity incidents to their respective primary federal regulator, (ii) for whom the primary federal regulator has indicated an intention to require cybersecurity incident reporting, or (iii) that is encouraged or expected to report cybersecurity incidents to their primary federal regulator pursuant to an Advisory Bulletin
Government FacilitiesAny entity that falls within one of the following categories:  Any state, local, tribal, or territorial (“SLTT”) government entity for a jurisdiction of 50,000 or more individuals;Any entity that qualifies as either a local educational agency, educational service agency, or state educational agency, as defined under 20 U.S.C. § 7801, with a student population of 1,000 or more students; or an institute of higher education that receives funding under Title IV of the Higher Education Act; orAny entity that manufactures, sells, or provides managed services for information and communications technology specifically used to support election processes or report and display results on behalf of SLTT governments
Healthcare and Public HealthAny entity that (i) owns or operates a hospital with 100 or more beds or a critical access hospital, (ii) manufactures drugs listed in appendix A of the Essential Medicines Supply Chain and Manufacturing Resilience Assessment; or (iii) manufactures a moderate risk (Class II) or high risk (Class III) device as defined by 21 U.S.C. § 360c
Information TechnologyAny entity that (i) knowingly provides IT hardware, software, systems, or services to the federal government, (ii) developed and continues to sell, license, or maintain any software that meets the definition of “critical software” as defined by the National Institute of Standards and Technology pursuant to Executive Order 14028, (iii) is an original equipment manufacturer, vendor, or integrator of operational technology (“OT”) hardware or software components, or (iv) performs functions related to domain name operations
Nuclear Reactors, Materials, and WasteAny entity that owns or operates a commercial nuclear power reactor or fuel cycle facility
Transportation SystemsAny entity that falls within one of the following categories: Entities identified by the Transportation Security Administration (“TSA”) as requiring cyber incident reporting and (in some cases) enhanced cybersecurity measures;Owners and operators of freight railroad carriers identified under 49 C.F.R. § 1580.1(a)(1), (4), and (5) and public transportation and passenger railroads identified in 49 C.F.R. § 1582.1;Owners and operators of critical pipeline facilities and systems identified in 49 C.F.R. part 1586;Entities required to implement a TSA-approved security program under 49 C.F.R. parts 1542, 1544, 1548, and 1549 (airports, passenger and all-cargo aircraft operators, indirect air carriers, and Certified Cargo Screening Facilities); orEntities that own or operate assets subject to the Maritime Transportation Security Act
Water and Wastewater SystemsAny entity that owns or operates a Community Water System or Publicly Owned Treatment Works, as defined in 42 U.S.C. § 300f(15) or 40 C.F.R. § 403.3(q) respectively, for a population greater than 3,300 people

The Proposed Rule does not include any separate sector-based criteria for the Commercial Facilities Sector, the Dams Sector, or the Food and Agriculture Sector, and would instead rely on the size-based or overlapping sector-based criteria to determine which entities in these sectors qualify as Covered Entities.

Covered Cyber Incidents and Ransomware Attacks

CIRCIA requires that Covered Entities report to CISA (1) any Covered Cyber Incident within 72 hours, and (2) any Ransomware Attack that results in a ransom payment within 24 hours.  CIRCIA also requires Covered Entities to promptly submit certain supplemental reports providing updated or additional information about the incident following the initial submission.  While CIRCIA included specific definitions for Ransomware Attack and Ransom Payment, which the Proposed Rule largely aligns with, CIRCIA directed CISA to provide a definition with more detailed criteria for a Covered Cyber Incident as part of the rulemaking process.

The Proposed Rule would define a Covered Cyber Incident to include two subsidiary definitions – a Cyber Incident and a Substantial Cyber Incident.  First, the Proposed Rule provides a definition for the term Cyber Incident—that is, an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system.  A Cyber Incident that then meets certain impact-based criteria would be considered a Substantial Cyber Incident.  Finally, a Covered Cyber Incident would be defined as any Substantial Cyber Incident experienced by a Covered Entity.

The Proposed Rule states that a Cyber Incident must meet certain impact-based criteria in order to be a Substantial Cyber Incident.  There are four such criteria and an incident needs to meet only one of the four criteria to constitute a Substantial Cyber Incident.

  • Substantial Loss of Confidentiality, Integrity, or Availability.  The first criterion is a “substantial” loss of confidentiality, integrity, or availability (“CIA”) of an information system (including operational technology, or OT) or a network.  The Proposed Rule notes that whether loss is “substantial” will depend on a variety of factors, including the type, volume, impact, and duration of the loss, such as an attack that cuts off services for an extended period or persistent access to information systems by a threat actor.
  • Serious Impact on Safety and Resilience.  The second criterion is a “serious” impact on the safety and resiliency of operational systems and processes.  The Proposed Rule cites to NIST definitions of safety and resilience, and notes that “serious” will also depend on a variety of factors, such as the safety hazards posed by an incident.  For example, the Proposed Rule states that cyber incidents that noticeably increases the potential for a release of hazardous chemicals used in chemical manufacturing or water purification, disrupts or compromises a BES cyber system that performs reliability tasks in the electric grid, or disrupts the ability of a communications service provider to transmit or deliver 911 calls would meet this definition.
  • Significant Operational Disruption.  The third is a disruption of the ability to engage in business or industrial operations, or deliver goods or services, due to:  (1) an attack (including, but not limited to a denial-of-service attack, ransomware attack, or exploitation of a zero-day vulnerability) against (i) an information system or network or (ii) an operational technology system or process; or (2) a loss of service facilitated through, or caused by, a compromise of a cloud service provider (“CSP”), managed service provider (“MSP”), other third-party data hosting provider, or by a supply chain compromise.  The Proposed Rule’s commentary notes that the disruption must be significant, akin to the “substantial” and “serious” qualifiers discussed above.
  • Significant Third-Party Compromise.  The last criterion is unauthorized access to an information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a CSP, MSP, other third-party data hosting provider, or a supply chain compromise.  While similar to the loss of CIA, this criterion is focused on third-party and supply chain compromise.  Again, the Proposed Rule’s commentary notes that the impacts must be significant to meet this criterion.

CISA states in the Proposed Rule that it interprets CIRCIA to limit the fourth criterion to unauthorized access that is achieved by the enumerated causes set forth in CIRCIA’s original statutory text (e.g., compromise of a CSP or supply chain compromise).  To avoid ambiguity, the Proposed Rule includes a statement that a Cyber Incident that impacts a Covered Entity and results in any of the impacts identified in the first three criteria is a Substantial Cyber Incident, regardless of what caused the incident.  In other words, the first three criteria are not limited by the source of a compromise (e.g., third-party compromise) or a particular attack vector (e.g., exploitation of a zero-day). 

Exceptions

The Proposed Rule includes three exceptions to reporting requirements.  First, Covered Entities are not required to report to CISA if the entity provides a legally required incident report to another federal agency that contains substantially similar information, is provided in a substantially similar timeframe, and can be shared within that timeframe under an information sharing agreement between CISA and the federal agency.  Second, the Proposed Rule exempts critical infrastructure owned, operated, or governed by multi-stakeholder organizations that develop, implement, and enforce policies concerning the Domain Name System.  Third, federal agencies required by the Federal Information Security Modernization Act to report incidents to CISA are exempt from reporting those incidents under CIRCIA.

Other Matters

The Proposed Rule addresses various other aspects of CIRCIA, including incident reporting content requirements and mechanisms, data and records preservation requirements, enforcement mechanisms, and additional definitions (e.g., CSP and Information System).  These and other matters will be addressed in further detail in the forthcoming client alert.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Shayan Karbassi Shayan Karbassi

Shayan Karbassi is an associate in the firm’s Washington, DC office. He represents and advises clients on a range of cybersecurity and national security issues. As a part of his cybersecurity practice, Shayan assists clients with cyber and data security incident response and…

Shayan Karbassi is an associate in the firm’s Washington, DC office. He represents and advises clients on a range of cybersecurity and national security issues. As a part of his cybersecurity practice, Shayan assists clients with cyber and data security incident response and preparedness, government and internal investigations, and regulatory compliance. He also regularly advises clients with respect to risks stemming from U.S. criminal and civil anti-terrorism laws and other national security issues, to include investigating allegations of terrorism-financing and litigating Anti-Terrorism Act claims.

Shayan maintains an active pro bono litigation practice with a focus on human rights, freedom of information, and free media issues.

Prior to joining the firm, Shayan worked in the U.S. national security community.

Photo of John Webster Leslie John Webster Leslie

Web Leslie advises clients on a broad range of risks, challenges, and opportunities at the intersection of technology and security, including on matters of cybersecurity, critical infrastructure, national security, and data privacy.

As a part of his investigations practice, Web helps clients navigate…

Web Leslie advises clients on a broad range of risks, challenges, and opportunities at the intersection of technology and security, including on matters of cybersecurity, critical infrastructure, national security, and data privacy.

As a part of his investigations practice, Web helps clients navigate complex civil and criminal investigations related to cyber and national security, including under the False Claims Act, FTC Act, and state equivalents. His practice also includes helping clients manage internal investigations related to cyber compliance and insider threat risks. Web also routinely advises clients throughout all stages of incident response and breach notification arising from nation-state activity, sophisticated criminal threat actors, and other cyber threats.

On compliance matters, Web assists clients across numerous industries, including in healthcare, financial services, telecommunications, technology, transportation, manufacturing, food and beverage, and insurance, to address the ever-expanding regulatory landscape. He advises on various issues including: statutory and contractual security requirements, cybersecurity guidance and best practices, cyber maturity assessments, incident preparedness, critical infrastructure risks, third-party risk management, and international cyber regulations, among others. Web’s regulatory practice also includes public policy advocacy related to cyber regulation and national security policy.

In addition to his regular practice, Web counsels pro bono clients on technology, immigration, and criminal law matters.

Web previously served in government in different roles at the Department of Homeland Security, including at the National Protection and Programs Directorate—known today as the Cybersecurity and Infrastructure Security Agency—where he specialized in cybersecurity and critical infrastructure protection, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.