Update on Cyber Incident Reporting for Critical Infrastructure Act of 2022

As we near the end of another year, it is time to look ahead to developments in the information security and privacy landscape. One area of particular importance is the development of regulations implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

CIRCIA, which was signed into law in March 2022 as Division Y of the Consolidated Appropriations Act, 2022, will require, among other things, “covered entities” to report “covered cyber incidents” to the Cybersecurity and Infrastructure Security Agency “not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.” CIRCIA will also require covered entities to report to CISA ransom payments “not later than 24 hours after the ransom payment has been made.” As explained below, the reporting requirements are not yet in effect.

Before the reporting requirements go into effect, CISA must issue regulations defining some of the applicable terms, notably “covered entity” and “covered cyber incident.” Although additional clarification will be provided, the law does note that a covered entity must be an entity within a critical infrastructure sector and that a covered cyber incident “means a substantial cyber incident experienced by a covered entity[.]” CISA is required to publish a Notice of Proposed Rulemaking (proposed regulations) by March 2024. The proposed regulations will be open for public comment before final regulations are issued.

Although it will be a while before final regulations go into effect, it is not too early for organizations to prepare. Some organizations – especially those in specific sectors like the Healthcare and Public Health Sector, are already subject to federal incident reporting. However, CIRCIA requires CISA to establish and chair an intergovernmental cyber incident reporting council. This council is intended to coordinate, deconflict, and harmonize federal incident reporting requirements. If this council is successful in its mission, the result could be a lessened administrative burden on reporting, and increased coordination and response from the federal government.

Given the likely impact of these rules and regulations, we will continue to monitor developments. We also recommend that potential covered entities watch for the proposed regulations and, if comfortable doing so, submit comments. Organizations should also continue to review and update their incident response and notification plans consistent with the development of the regulations, as well as with other legislative and regulatory changes.

The Constangy Cybersecurity & Data Privacy Team assists businesses of all sizes and industries develop a comprehensive incident response plan or support with a breach.  We are here to help!  The Constangy Cyber Team is available 24/7.  Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.

  • Sebastian  Fischer
    Senior Counsel

    Sebastian is a member of the Constangy Cyber Team and is based in Washington, D.C. He brings a wealth of experience in cybersecurity and risk management in providing compliance advisory services to clients. He is dedicated to ...

  • Sean  Hoar

    Sean, a partner in the Portland office, serves as chair of the Constangy Cyber Team. His background includes almost 25 years of experience with data privacy and information security matters. He is a former cyber attorney for the U.S ...

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 


* indicates required
Back to Page