U.S. Cybersecurity Agency Proposes Regulation to Require Cyber Incident Reporting

April 24, 2024

On April 4, 2024, the Federal Register published the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) notice of proposed rulemaking, including the text of the proposed regulation that would implement the key provisions of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA” or the “Act”).

The proposed regulation defines the scope of the Act’s requirement that covered entities in critical infrastructure businesses report covered cyber incidents to CISA. The Act requires covered entities to report incidents within 72 hours of forming a reasonable belief that a substantial cyber incident has occurred, report ransom payments within 24 hours of making such a payment, and preserve related data and records for at least two years. The proposed regulation defines the covered entities subject to the reporting obligations to include entities within 16 critical infrastructure sectors that either (i) exceed the U.S. Small Business Administration’s Small Business Size Regulations or (ii) meet one of 16 different sets of criteria in the proposed regulation. The proposed regulation is subject to public comment and further modification. The reporting obligations will not take effect until a final version of the regulation is published in the next 18 months.

Please click here to read the full alert memorandum.