Brace for Coming Cyber Reporting Rule
In April, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued a Notice of Proposed Rule Making (NPRM) detailing how companies and most metalcasters will have to comply with the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Under the proposed rule, virtually every owner/operator entity within one of 16 identified Critical Infrastructure sectors (including manufacturing) will have to report a “covered cybersecurity incident”:
1. Within 72 hours after a covered entity “reasonably believes that [a] substantial cyber incident has occurred.”
2. Not later than 24 hours after making a ransom payment that results from a ransomware attack against a covered entity.
The proposed rule, if adopted in its current form, will substantially expand on existing U.S. cyber incident reporting requirements and have important implications for how metalcasters respond to cyber incidents. CISA spent the last two years developing the proposed rule after Congress passed the incident reporting law in March 2022 due to ongoing cyberattacks and threats. They are among the most sweeping cybersecurity requirements ever passed into law. The principal goal is to ensure that sufficient data is received promptly so the government can take necessary steps to ensure integrity and protect against cyber threats across the Critical Infrastructure sectors.
Significant elements of the proposal include the following: a broad range of reportable incidents; reporting timelines; form and content requirements; data preservation and recordkeeping requirements; enforcement mechanisms, exceptions to the reporting requirements; and company protections.
Who is “Covered”?
The proposed rule will require cyber incident reporting for covered entities in all 16 critical infrastructure sectors. Entities that meet certain threshold criteria—regardless of size—are covered by the rule.
Metalcasters fall under the Critical Manufacturing Sector, which includes any entity that owns or has business operations that engage in primary metal manufacturing; machinery manufacturing; electrical equipment, appliance, and component manufacturing; or transportation equipment manufacturing.
In addition, under the Defense Industrial Base Sector, an entity that is a contractor or subcontractor required to report cyber incidents to DoD is considered a covered industry. This pulls in any DoD contractor or subcontractor, regardless of size, that handles Controlled Unclassified Information.
CISA’s proposed requirements around what constitutes a “covered cyber incident” are complex and detailed. The agency’s rules center around triggering reporting for incidents that result in at least one of four scenarios: (1) “Substantial Loss of Confidentiality, Integrity, or Availability.” (2) “Serious Impact on Safety and Resiliency of Operational Systems and Processes.” (3) “Disruption of Ability to Engage in Business or Industrial Operations.” (4) “Unauthorized Access Facilitated Through or Caused by (A) a Compromise of a [Cloud Service Provider], Managed Service Provider, or (B)Other Third-Party Data Hosting Provider, or Supply Chain Compromise.”
How Will Reporting Work?
CISA plans to set up a web-based form through which organizations can report cyber incidents that will be released at the same time as the final rule. Under the proposed rule, a covered entity is required to submit a report to CISA if it experiences a covered cyber incident, makes a ransom payment, or has an update of substantial or new information of a previously submitted report.
The proposed rule outlines four types of CISA reports that may be required, each with separate deadline requirements:
• Covered Cyber Incident Report must be submitted within 72 hours after an entity reasonably believes that a covered incident occurred.
• Ransom Payment Report must be submitted no later than 24 hours after the payment was made.
• Joint Covered Cyber Incident and Ransom Payment Report must be submitted if a covered entity makes a ransom payment within 72 hours of a covered cyber incident. The report must be submitted within 72 hours of the cyber event occurring.
• Supplemental Report must be submitted if a covered entity makes a ransom payment related to a previously reported cyber incident. The report must be submitted within 24 hours of the funds being dispersed.
CISA proposes to adopt several protections for information reported and for entities and persons described in the reports. CISA would allow covered entities to mark reports as protected commercial, financial, and proprietary information, exempt them from Freedom of Information Act requests, maintain privileges such as attorney-client privilege, and waive any ex parte communications rules.
CISA has proposed that the covered entity is “the entire entity … not the individual facilities or functions” that meet the sector-specific criteria. Consequently, a substantial cyber incident experienced by a non-critical part or facility of the entity would still need to be reported. Furthermore, the law also gives CISA the power to issue a subpoena to any organization that doesn’t comply with the rules.
While covered entities will not be required to report covered cyber incidents or ransom payments until the final rule goes into effect, CISA has encouraged all entities to voluntarily share this information with CISA in the interim (https://www.cisa.gov/report).
Public comments on the proposed rule are due by June 3, and CISA expects to publish the final rule by October 4, 2025, with reporting likely beginning in 2026. AFS will be submitting formal comments urging CISA to provide more flexibility to some of the short reporting time frames, harmonize its proposal with existing federal cyber incident reporting requirements, as well as other key issues.