The Eclipse has Nothing on This...

Earlier last week, we watched the much-anticipated Solar Eclipse take place. It wasn’t too exciting here in Arizona, but we made our obligatory march outside to peek into funny glasses and look into the sky. It was fun to watch people across the way hold colanders up to the sky while watching the ground. It's not something you see every day.

The week before the eclipse, a much more momentous event occurred, one that everyone should pay attention to.

On April 4, 2024, the Department of Homeland Security published its highly anticipated Notice of Proposed Rulemaking (NPRM) for the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

CIRCIA Background

CIRCIA was signed into law on March 15, 2022, and charges the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring “Covered Entities” to report covered cyber incidents and ransomware payments to CISA. The comment period ends June 3.

CISA is required to publish the Final Rule within 18 months after the publication of the NPRM (by October 4, 2025) The final Rule will likely take effect in early 2026.

For an estimated 316,244 “Covered Entities,” life will change as we approach implementation.

Covered Entities under CIRCIA

First, you have to figure out if you are one of the “Covered Entities.”

Covered Entities come from sixteen designated critical infrastructure sectors:

1. Chemical
2. Commercial facilities
3. Communications
4. Critical manufacturing
5. Dams
6. Defense industrial base
7. Emergency services
8. Energy
9. Financial services
10. Food and agriculture
11. Government facilities
12. Healthcare and public health
13. Information technology
14. Nuclear reactors, materials, and waste
15. Transportation systems
16. Water and wastewater systems

There are exemptions for small businesses (as defined by the SBA in 13 CFR Part 121) except if you fall in certain critical sectors.

Those who must comply regardless include those who:

• Own or operate a chemical facility;
• Provide wire or radio services;
• Manufacturing metal, machinery, electrical equipment, or transportation equipment;
• Defense contracting services;
• Emergency services;
• Bulk electric and distribution entity;
• Owns or operates financial services infrastructure;
• State, local, Tribal, or territorial government entity;
• Education facility;
• Information and communication technology to support elections;
• Public-health-related services;
• Provides information technology products and services to the federal government, develops software, or does business related to hardware and software components;
• Own or operate a nuclear power reactor or fuel cycle facility;
• Qualifies as a transportation system entity;
• Own or operate a maritime vessel, facility, or outer continental shelf facility; and
• Own or operate a community water system or public treatment works.

That’s pretty clear (not).

CISA estimates that, overall, $1.1 billion will be spent in firms trying to familiarize themselves with the provisions to see if they apply to their firm.

If you are a Covered Entity, you must report information to CISA and preserve data, or they will subpoena or report you to the Justice Department.

CISA Reporting

CISA requires five types of reports according to defined deadlines. They are:

1. Covered Cyber Incident Report: Must be filed within 72 hours after a covered entity reasonably believes that a covered incident occurred
2. Ransom Payment Report: Must be filed within 24 hours after the payment was made
3. Joint Covered Cyber Incident and Ransom Payment Report: Must be filed within 72 hours of a covered cyber incident if a covered entity makes a ransom payment
4. Supplemental Report: Must be filed within 24 hours of payment if a covered entity makes a ransom payment related to a previously reported cyber incident.
5. Optional Report: Covered entity may file a report to state when a covered cyber incident has been concluded.

The Rule defines a Covered Cyber Incident as a substantial cyber incident experienced by a covered entity.

The Rule defines a Cyber Incident as an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system; or actually jeopardizes, without lawful authority, an information system.

There will be much more to come as this progresses through the federal process.

Overall, the cost is estimated to approach $587 million in 2026 in the initial year alone and $2.6 billion over the analysis period. That’s some serious money.

It will only be eclipsed by the confusion over implementation.

Would $2.6 billion spent on hardening the defenses of the Covered Entities yield a better return on investment than collecting reports? Probably.

The comment period ends June 3. Most small organizations have no idea what is coming their way.

We hope to get the word out. This is going to change many relationships.

While we don’t have to deal with another visible solar eclipse until 2044, we will certainly deal with the ramifications of CIRCIA before then.

If you need help figuring out how this proposed rule might affect your organization, give us a call to discuss.