On March 15, 2022, President Biden signed into law the Consolidated Appropriations Act, 2022, H.R. 2471. Division Y of this omnibus appropriations legislation—the Cyber Incident Reporting for Critical Infrastructure Act of 2022—will create significant new rules requiring US critical infrastructure entities to report cybersecurity incidents and ransom payments to the US government. This legislation marks a significant expansion of legal requirements to report cybersecurity incidents and ransom payments.
Critical infrastructure entities will be well-served to consider whether the new reporting requirements will apply to their businesses, whether changes to their cyber programs are necessary to meet these requirements and whether they should participate in the forthcoming rulemaking process, either directly or through industry groups. To that end, we highlight below elements of this new law.
1. Cyber Incident/Ransom Reporting Requirements
The legislation imposes its new reporting requirements on critical infrastructure entities that will be identified through rulemaking by the Director of the Cybersecurity and Infrastructure Security Agency (CISA), within the US Department of Homeland Security (DHS). The legislation requires such covered entities to report certain substantial cyber incidents to CISA within 72 hours of “reasonably believ[ing]” that such a covered cyber incident has occurred. Covered entities also need to disclose within 24 hours any ransom payments made. This applies to any payments, including in situations that do not otherwise trigger the incident reporting requirement. Reporting entities would also be required to supplement their initial reports as “substantial new or different information becomes available.” Relatedly, reporting entities are required to preserve data relevant to their disclosures. These reporting requirements do not apply to entities that, “by law, regulation, or contract,” are already required to report “substantially similar information to another Federal agency within a substantially similar timeframe.” However, the relevant agency must have an “agency agreement and sharing mechanism” in place with CISA for this exception to apply.
The scope of these reporting requirements remains to be determined in a rulemaking required by the legislation. For example, the legislation defines a “covered cyber incident” as one that is “substantial” and meets a “definition and criteria” set by CISA through rulemaking. The final rule would also delineate incident report content requirements, ransom report content requirements and the scope of data preservation requirements. These reporting and preservation requirements would take effect after implementation of the final rule, at a date specified therein. The legislation requires that a notice of proposed rulemaking be issued within 24 months of its enactment and a final rule would need to follow within 18 months.
The legislation also provides for voluntary reporting and the reporting of additional information beyond what is legally required. Both types of reporting would receive the same protections as those applicable to mandatory reports (see below).
2. Use of Third Parties
The legislation clarifies how covered entities may leverage the support of third-party vendors to satisfy these new obligations. Specifically, a covered entity may rely on “an incident response company, insurance provider, service provider, Information Sharing and Analysis Organization, or law firm” to submit incident or ransom payment reports. Entities that make or facilitate a ransom payment on behalf of a covered entity are expressly not required to submit ransom payment reports. However, any third party that “knowingly makes a ransom payment on behalf of a covered entity impacted by a ransomware attack shall advise the impacted covered entity of the responsibilities of the impacted covered entity regarding reporting ransom payments.” Thus, entities that facilitate ransom payments for covered entities have a “responsibility to advise” their customers of their obligations under the new law.
The legislation includes enforcement mechanisms to ensure compliance with the new reporting requirements. Specifically, CISA may issue subpoenas to require disclosure after initially requesting disclosure from a covered entity it believes has experienced a reportable cyber incident or made a reportable ransom payment. An entity has 72 hours to respond to such initial request before CISA may issue a subpoena. Failure to comply with the subpoena may result in a civil lawsuit to seek enforcement and possibly contempt of court. This enforcement procedure does not apply to state, local, tribal or territorial governments.
The legislation also withholds certain protections from those covered entities that fail to provide information in accordance with requirements. Specifically, if CISA concludes that information provided in response to a subpoena “may constitute grounds for a regulatory enforcement action or criminal prosecution, the Director may provide such information to the Attorney General or the head of the appropriate Federal regulatory agency, who may use such information for a regulatory enforcement action or criminal prosecution.” Information provided in compliance with the law on a voluntary basis or in response to an initial request is not subject to this risk.
4. Data Use
The legislation sets out CISA’s responsibility for reviewing and disseminating incident and ransom payment reports to federal agencies. However, there are limitations on how this information may be used, subject to the exception noted above. Specifically, such information may only be used:
- for a cybersecurity purpose;
- to identify a cyber threat or security vulnerability;
- to respond to, prevent or mitigate “a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or use of a weapon of mass destruction”;
- to respond to, investigate, prosecute, prevent or mitigate “a serious threat to a minor, including sexual exploitation and threats to physical safety”; or
- to prevent, investigate, disrupt or prosecute an offense arising out of a reported cyber incident or ransomware attack or other enumerated offenses.
Besides these specified uses, the federal government is subject to limits on how it can use reported information. For example, neither the federal government nor any state, local, tribal or territorial government may use reported information “to regulate, including through an enforcement action, the activities of the covered entity or entity that made a ransom payment, unless the government entity expressly allows entities to submit reports to [CISA] to meet regulatory reporting obligations of the entity.”
DHS is required to share cyber incident and ransom payment reports and other related information, such as subpoena responses, with the relevant Sector Risk Management Agencies and “other appropriate Federal agencies” within 24 hours of receipt, subject to further direction by the President.
The legislation also establishes protections for reported information that largely track those that were first implemented for certain voluntarily disclosed information in the Cybersecurity Information Sharing Act of 2015. Specifically, reports submitted in response to applicable reporting obligations or under the legislation’s provisions for voluntary disclosures would:
- “[be] considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity”;
- “[be] exempt from disclosure under [the Freedom of Information Act] as well as any provision of State, Tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records”;
- “[be] considered not to constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection”; and
- “not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official.”
The legislation also provides a suit dismissal provision associated with the new reporting requirements. Specifically, “[n]o cause of action shall lie or be maintained in any court by any person or entity and any such action shall be promptly dismissed for the submission” of a mandatory incident or ransom payment report. This suit dismissal provision does not apply to an action brought by the federal government to enforce a subpoena against a covered entity. This provision also only applies to “litigation that is solely based on the submission of a covered cyber incident report or ransom payment report” to CISA—a new standard that did not appear in the Cybersecurity Information Sharing Act of 2015.
Finally, no report submitted to CISA pursuant to this legislation or “any communication, document, material, or other record, created for the sole purpose of preparing, drafting, or submitting such report may be received in evidence, subject to discovery, or otherwise used in any trial, hearing, or other proceeding in or before any court, regulatory body, or other authority of the United States, a State, or a political subdivision thereof.”
6. Other Provisions
This legislation also includes several provisions to further enhance the cybersecurity ecosystem and public-private information sharing.
- Cyber Incident Reporting Council: The legislation calls for the creation of a Cyber Incident Reporting Council led by the Secretary of Homeland Security to “coordinate, deconflict, and harmonize Federal incident reporting requirements.”
- Ransomware Vulnerability Warning Pilot Program: The legislation provides for the creation of a new pilot program to “develop processes and procedures for, and to dedicate resources to, identifying information systems that contain security vulnerabilities associated with common ransomware attacks, and to notify the owners of those vulnerable systems of their security vulnerability.” There would be no duty for owners and operators of allegedly vulnerable information systems to “take any action as a result of a notice of a security vulnerability.”
- Joint Ransomware Task Force: The legislation calls for the establishment of a new joint task force chaired by CISA “to coordinate an ongoing nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.” The National Cyber Director, in coordination with DHS, would determine appropriate participants from federal agencies.
- Coordination of Reports Submitted to Other Agencies: The legislation requires other federal agencies that receive incident reports to submit those reports to CISA.