Policy Backgrounders
The Conference Board uses cookies to improve our website, enhance your experience, and deliver relevant messages and offers about our products. Detailed information on the use of cookies on this site is provided in our cookie policy. For more information on how The Conference Board collects and uses personal data, please visit our privacy policy. By continuing to use this Site or by clicking "OK", you consent to the use of cookies. 

Policy Backgrounders

CED’s Policy Backgrounders provide timely insights on prominent business and economic policy issues facing the nation.

CISA Proposed Rule on Cyber Reporting for Critical Infrastructure Sectors

April 12, 2024

Trusted Insights for What’s Ahead™

The Department of Homeland Security published its proposed regulation to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that mandates reporting of cyber breaches to the Cybersecurity & Infrastructure Security Agency (CISA) for a wide range of entities designated as part of US critical infrastructure.

  • CIRCIA, enacted in March 2022, requires covered entities generally to report cyber incidents within 72 hours and ransomware payments within 24 hours through a specified form on CISA's website, requiring disclosure of incident details and the preservation of related data for two years.
  • CISA proposes a broad scope of “covered entities” across its 16 infrastructure sectors, while including exemptions for certain small businesses. The proposal also defines a "substantial” cyber incident broadly, excluding minor disruptions.
  • CISA estimates that up to 316,244 entities will be covered under this rule, resulting in approximately 210,525 breach reports over 11 years, with compliance a cost of $1.4 billion to the industry and $1.2 billion to the Federal Government. (The total cost of cyberattacks to the economy is far larger.)
  • Comments on the regulation are due by June 3, 2024. CISA expects to issue a final rule in late 2025, with implementation in 2026.

Authors

hubCircleImage