CISA Looks Back On One Year of CIRCIA, Encourages Cyber Threat Sharing

March 28, 2023 - President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law one year ago, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop regulations that would solidify cyber incident reporting requirements for covered entities.

Among its many provisions, CIRCIA required CISA to issue regulations requiring covered critical infrastructure entities to report cyber incidents within 72 hours, launch the Joint Ransomware Task Force, and establish the Ransomware Vulnerability Warning Pilot Program, the latter of which was just established in mid-March.

CISA Executive Director Brandon Wales reflected on the progress that CISA has made toward these goals in the past year in a new blog post.

“In that time, we’ve been working to implement the law thoughtfully, listening to stakeholders, and building the staffing, processes, and technology to successfully implement this groundbreaking legislation,” Wales wrote.

CISA hosted a variety of sector-specific listening sessions, which allowed industry leaders to share their thoughts on how to implement CIRCIA’s regulatory requirements. In addition, CISA maintained communication with all the Sector Risk Management Agencies (SRMAs), the Department of Justice (DOJ), and other entities.

“CISA is considering the inputs received through these consultations as we develop the proposed regulations and look for ways to harmonize CIRCIA’s requirements with other existing cyber incident reporting regulatory requirements,” Wales continued.

The blog post emphasized the importance of threat sharing and cyber incident reporting, highlighting key tenets of CIRCIA.

“One of the most vital aspects of CIRCIA is that it enhances CISA’s ability to use cybersecurity incident and ransom payment information reported to the agency to spot trends in real-time, fill critical information gaps, rapidly deploy resources to help entities that are suffering from cyberattacks, and share information to warn other potential victims,” the post stated.

CISA encouraged all critical infrastructure owners and operators to voluntarily share cyber incident information, even if they are not covered under CIRCIA.

During a recent Senate Homeland and Governmental Affairs Committee hearing, healthcare industry leaders similarly stressed the importance of threat sharing as a key to enhancing industry and government partnerships.

Both government and industry experts have made it clear that reducing cyber risk must be a team effort. Successfully mitigating risk requires organizations to receive actionable threat intelligence and support from the government. Meanwhile, the government needs industry buy-in via cyber incident and ransom payment reporting in order to provide relevant support and information.

CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) by March 2024, which will be open for public comment, the blog post noted. CISA encouraged critical infrastructure entities to continue to provide comments and feedback on these developments.