# New Cyber Incident Reporting Legislation in the United States
In March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law in the United States. This legislation mandates that covered entities report cyber incidents and ransomware payments to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) within specified timeframes. CISA will have enforcement powers for the first time, marking a significant shift in cybersecurity regulation.
## Who is Affected by CIRCIA?
The legislation applies to United States “Covered Entities” in critical infrastructure sectors outlined by Presidential Policy Directive 21. These sectors include energy, transportation, and healthcare, among others. Education is also considered a subsector within the Government Facilities Sector, encompassing various educational institutions.
## Requirements of the Legislation
While reporting under CIRCIA will become mandatory in 2025, organizations are encouraged to voluntarily share cyber incident information with CISA. Once the Final Rule is implemented, covered entities will have to report cyber incidents and ransomware payments within specific timeframes, preserve relevant data, and provide updates as necessary.
## What Constitutes a Covered Cyber Incident?
The legislation defines covered cyber incidents as events causing substantial loss of confidentiality, business disruption, or unauthorized access to systems. The final legislation will consider factors like data sensitivity, impact on operations, and potential threats to industrial control systems.
## Contents of a Report and Third-Party Reporting
Reports must include incident details, impact assessments, and contact information. Covered entities may engage third parties like incident response firms or law firms to submit reports on their behalf. Failure to comply with reporting requirements may lead to enforcement actions by CISA.
## Protections for Reporting Parties
CIRCIA reports are expected to be confidential and exempt from disclosure under relevant laws. Reporting entities can assert their rights in writing to protect sensitive information.
## Key Points:
– CIRCIA mandates reporting of cyber incidents and ransomware payments by covered entities.
– Covered sectors include critical infrastructure industries like energy and healthcare.
– Reporting requirements will be enforced by CISA, with penalties for non-compliance.
– Third parties can submit reports on behalf of affected entities.
– Reporting parties are protected under confidentiality exemptions.
In conclusion, the implementation of CIRCIA signifies a proactive approach to enhancing cybersecurity in critical infrastructure sectors. Organizations must prepare to comply with reporting requirements to ensure effective incident response and safeguard sensitive information.