The clock starts soon: Preparing for CIRCIA

If organizations have not already begun preparing for the new reporting requirements for covered entities outlined by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, they should start now. While the regulations required under CIRCIA are currently undergoing the rulemaking process, the reporting requirements are set to become effective in 2026. The proposed rule, developed by the Cybersecurity and Infrastructure Security Agency, requires covered entities to report substantial cyber incidents within 72 hours and ransomware payments within 24 hours. The more that is done to prepare now, the easier reporting within such expedited timelines will be for an organization.

What entities are covered?

CISA estimates more than 300,000 entities will be covered by CIRCIA. The act and proposed rule cover any entities larger than a small business, which is generally defined as having fewer than 500 employees or annual receipts less than USD7.5 million, as well as any business large or small that offers services in 16 specific sectors. These sectors were chosen for the impact those entities would have, if attacked, on the U.S. and trade.

Those sectors, established by Presidential Policy Directive 21 and reiterated in the National Security Memorandum on Critical Infrastructure Security and Resilience, are wide-ranging and include health care, information technology, communications, energy, financial services, and transportation. Entities ranging from hospitals to IT companies that have not traditionally considered themselves critical infrastructure should consider whether their sectors have been named critical by CISA by looking through the sector-specific plans, as outlined by PPD-21.