November 29, 2022

Volume XII, Number 333


November 28, 2022

Subscribe to Latest Legal News and Analysis

CISA Seeking Input on Cyber Incident Reporting for Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) is seeking input on various aspects of proposed incident reporting regulations under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (discussed here). CISA issued a Request for Information (RFI) and has scheduled a number of listening sessions across the country. Written comments may be submitted until November 14, 2022.

CISA is particularly interested in input from owners and operators of critical infrastructure entities on the potential impact of the proposed requirements. CISA has provided a non-exhaustive list of topics related to the rulemaking, but of note are the following:

  • The definition of “covered entity” including the number of entities, either overall or for a specific industry or sector

  • The meaning of “covered cyber incident” and “substantial cyber incident” and in particular how to better align these definitions with other federal incident reporting requirements

  • What constitutes a “reasonable belief” that a covered cyber incident has occurred

  • The meaning of “ransom payment” and “ransomware attack,” and when the timeline for reporting a ransom payment should begin

  • Input about information preservation after an incident, including methods, cost, and duration

  • The role of third-party entities in submitting covered cyber incident or ransomware reports

Putting it Into Practice: The RFI outlines key terms and considerations relevant to critical infrastructure and provides insight on CISA’s general approach to incident response, which may serve as the basis for future requirements applicable to other sectors. This comment period is an opportunity for companies to influence the scope and impact of the final rule. Comments may be submitted through November 14, 2022 at

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 269

About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

Lauren Weiss Associate Washington D.C. Sheppard, Mullin, Richter & Hampton LLP

Lauren Weiss is an associate in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice Lauren’s practice focuses on government contracts litigation, investigations, and counseling matters including the following areas:  Cybersecurity counseling, Internal Investigations, Regulatory compliance,  Bid protests before the U.S. Government Accountability Office, Civil False Claims Act litigation defense, and Transactional due diligence.