On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency (“CISA”) released an unpublished version of a Notice of Proposed Rulemaking (“NPRM”), as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The NPRM will be officially published on April 4, 2024, and comments are due by June 3, 2024. Pursuant to the proposed rules, “covered entities” would be required to report (1) “qualifying cyber incidents,” (2) ransom payments made in response to a ransomware attack, and (3) any substantially new or different information discovered related to a previously submitted report to CISA. Covered entities are required to notify CISA within 72 hours in the event of a qualifying cyber incident and within 24 hours, in the event that payment is made in response to a ransomware attack.

CISA proposes that qualifying cyber incidents are “substantial” cyber incidents that lead to (1) a substantial loss of confidentiality, integrity or availability of a covered entity’s information system or network; (2) a serious impact on the safety and resiliency of a covered entity’s operational systems and processes; (3) a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or (4) unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.

CISA also proposes that a “covered entity” include entities (1) within a critical infrastructure sector that exceed small business size standards specified by the U.S. Small Business Administration or (2) subject to sector-specific standards that CISA proposes developing for critical infrastructure entities. CISA considers 16 sectors to be “critical infrastructure:” chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; state, local, tribal, and territorial government coordinating council; transportation systems; and water and wastewater.

In the event a covered entity experiences one of the three above-listed reportable events, CISA proposes that a covered entity must submit reports through a web-based form, the “CIRCIA Incident Reporting Form,” that will be available on the reporting page of CISA’s website. The proposed rules would give CISA the enforcement power to issue a Request for Information or a subpoena. Failure to comply with a subpoena could lead a referral of the matter to the U.S. Attorney General to enforce compliance. Covered entities that knowingly and willfully make materially false or fraudulent statements or representations within or in connection with a CIRCIA Report, RFI Response, or reply to an administrative subpoena is subject to penalties.