Policy Backgrounders

CISA Proposed Rule on Cyber Reporting for Critical Infrastructure Sectors

April 12, 2024

Trusted Insights for What’s Ahead^®

The Department of Homeland Security published its proposed regulation to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that mandates reporting of cyber breaches to the Cybersecurity & Infrastructure Security Agency (CISA) for a wide range of entities designated as part of US critical infrastructure.

• CIRCIA, enacted in March 2022, requires covered entities generally to report cyber incidents within 72 hours and ransomware payments within 24 hours through a specified form on CISA's website, requiring disclosure of incident details and the preservation of related data for two years.
• CISA proposes a broad scope of “covered entities” across its 16 infrastructure sectors, while including exemptions for certain small businesses. The proposal also defines a "substantial” cyber incident broadly, excluding minor disruptions.
• CISA estimates that up to 316,244 entities will be covered under this rule, resulting in approximately 210,525 breach reports over 11 years, with compliance a cost of $1.4 billion to the industry and $1.2 billion to the Federal Government. (The total cost of cyberattacks to the economy is far larger.)
• Comments on the regulation are due by June 3, 2024. CISA expects to issue a final rule in late 2025, with implementation in 2026.