Cyber Incident Reporting for Critical Infrastructure Act of 2022

Cyber Incident Reporting Requirements Signed into Law

On Tuesday, March 15, 2022, President Biden signed into law the Consolidated Appropriations Act, which includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This act requires covered entities to report any substantial cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of reasonably believing that such incident has occurred. Additionally, any ransomware payments made as a result of a ransomware attack against a covered entity will need to be reported to CISA within 24 hours. 

Is Your Organization a Covered Entity?

The legislation defines the term covered entity as “an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21, that satisfies the definition established by the Director in the final rule issued pursuant to section 2242(b).” What does this mean? The Act is imposing its new reporting requirements on critical infrastructure entities that will be clearly identified through rulemaking by CISA. 

There’s Work To Be Done

CISA will have 2 years to issue a Notice of Proposed Rulemaking (NPRM) proposing the final rules to implement the requirements included in the Reporting Act. The new legislation also requires CISA to conduct an outreach and education campaign to inform likely covered entities of the new reporting requirements.

In the meantime, as the concern over Russian cyber threats grows, it’s a good time for organizations to continue to strengthen their cybersecurity. As your IT partner, Digital Industry will continue to closely monitor the situation and inform you of any potential impact this bill may have on your organization’s cybersecurity requirements.