ARTICLE
27 September 2022

CISA Seeking Input On Cyber Incident Reporting For Critical Infrastructure

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
The Cybersecurity and Infrastructure Security Agency (CISA) is seeking input on various aspects of proposed incident reporting regulations under the Cyber Incident Reporting for Critical Infrastructure Act of 2022...
United States Technology

The Cybersecurity and Infrastructure Security Agency (CISA) is seeking input on various aspects of proposed incident reporting regulations under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (discussed here). CISA issued a Request for Information (RFI) and has scheduled a number of listening sessions across the country. Written comments may be submitted until November 14, 2022.

CISA is particularly interested in input from owners and operators of critical infrastructure entities on the potential impact of the proposed requirements. CISA has provided a non-exhaustive list of topics related to the rulemaking, but of note are the following:

  • The definition of "covered entity" including the number of entities, either overall or for a specific industry or sector
  • The meaning of "covered cyber incident" and "substantial cyber incident" and in particular how to better align these definitions with other federal incident reporting requirements
  • What constitutes a "reasonable belief" that a covered cyber incident has occurred
  • The meaning of "ransom payment" and "ransomware attack," and when the timeline for reporting a ransom payment should begin
  • Input about information preservation after an incident, including methods, cost, and duration
  • The role of third-party entities in submitting covered cyber incident or ransomware reports

Putting it Into Practice: The RFI outlines key terms and considerations relevant to critical infrastructure and provides insight on CISA's general approach to incident response, which may serve as the basis for future requirements applicable to other sectors. This comment period is an opportunity for companies to influence the scope and impact of the final rule. Comments may be submitted through November 14, 2022 at https://www.regulations.gov/document/CISA-2022-0010-0002 .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More