On March 15, 2022, President Biden signed the Consolidated Appropriations Act 2022, a $1.5 trillion omnibus spending package to fund the government through September 2022.  The omnibus spending package includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”), which establishes two cyber incident reporting requirements for covered critical infrastructure entities:  a 24-hour requirement to report any ransomware payments to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and a 72-hour requirement to report all covered cyber incidents to CISA.  These requirements will take effect upon the issuance of implementing regulations from the Director of CISA.

Covered Entities.  The Act applies to “covered entities” in the sixteen United States critical infrastructure sectors.  Such covered entities will be further defined by the CISA Director through a rulemaking process described further below.

24-Hour Ransom Payment Reporting Requirement.  Covered entities that make payments as “the result of a ransomware attack” (as defined by the Act) must report the payment to CISA within 24 hours of the payment.  Such reports must contain specific information about the ransomware attack and the threat actors reasonably believed to be responsible for the attack including, inter alia:  a description of the attack; a description of the vulnerabilities, tactics, techniques, and procedures used to perpetuate the attack; any identifying or contact information related to each actor reasonably believed to be responsible for the ransomware attack; the date and amount of the ransom payment; and the ransom payment demand and instructions.

72-Hour Cyber Incident Reporting Requirement.  Covered entities are required to report any “covered cyber incident” to CISA within 72 hours and to “promptly” submit supplemental reports providing updated or additional information about the incident, including if ransom payments are made after the submission of an initial report.

Covered Cyber Incidents.  The Act specifies that “covered cyber incidents” include “substantial” cyber incidents that involve:  the substantial loss of confidentiality, integrity, or availability of information systems or networks or a serious impact on the safety and resiliency of operational systems and processes; a disruption of business or industrial operations, whether on an information system or network or an operational technology system or process; or unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a third-party provider or by a supply chain compromise.

Content of Incident Reports.  The Act specifies that covered incident reports shall contain certain information about the incident and any actor reasonably believed to be responsible for the incident, including, inter alia: a description of the covered incident; a description of the vulnerabilities, security defenses, tactics, techniques, and procedures used to perpetuate the cyber incident; and the identification of the category or categories of information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person.

Preservation of Information.  The Act specifies that any covered entity subject to the Act’s reporting requirements shall preserve any relevant data associated with a covered cyber incident or ransom payment.

Exemption.  The Act provides a reporting exemption to covered entities that are “required by law, regulation, or contract” to submit substantially similar information to another Federal agency within a substantially similar timeframe as the reporting timeframe provided in the Act.

Enforcement.  If a covered entity fails to make a required report, the Act permits the CISA Director to directly engage with the entity to obtain the relevant information.  If the entity fails to cooperate with such direct engagement, the CISA Director may issue a subpoena to obtain the relevant information.  If an entity fails to comply with a subpoena, the matter may be referred to the U.S. Department of Justice for enforcement.

Liability Protections.  The Act shields reporting entities from liability associated with the submission of incident reports required by the Act or future implementing regulations.  These liability protections only apply to litigation based solely on the submission of a covered cyber incident report or ransom payment report to CISA.

Timing/Effective Date.  These requirements have not yet taken effect.  The CISA Director has two years to publish a notice of proposed rulemaking to implement the Act, and 18 months after that to issue the final rule.  Thus, the CISA Director has up to three and a half years to issue the final rule.  That said, given the U.S. Government’s current level of interest in cyber incidents related to critical infrastructure, the CISA Director may move quickly to implement the requirements of the Act.  In other words, although the Act provides the Director with three and a half years to issue the final rule, any such rulemaking is likely to take place prior to this statutory deadline.

Outlook.  Critical infrastructure entities that believe they may be covered by the final rule may want to consider examining their internal processes to detect, identify, and respond to cyber incidents and developing a testing strategy to exercise these processes on a periodic basis.  Additionally, they should consider whether they would like to engage in the rulemaking process (e.g., through the submission of comments).  Further, as the rulemaking process will provide more granular requirements consistent with the Act, critical infrastructure entities that believe they may be covered by the final rule should continue to monitor developments in this area to understand the full scope of the requirements that are likely to be imposed through the rulemaking process and when those requirements are likely to take effect.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.

Photo of Robert Huffman Robert Huffman

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance…

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance, contract claims and disputes, and intellectual property (IP) matters related to U.S. government contracts.

Bob has leading expertise advising companies that are defending against investigations, prosecutions, and civil suits alleging procurement fraud and false claims. He has represented clients in more than a dozen False Claims Act qui tam suits. He also represents clients in connection with parallel criminal proceedings and suspension and debarment.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including cybersecurity, the Buy American Act/Trade Agreements Act (BAA/TAA), and counterfeit parts requirements. He also has extensive experience litigating contract and related issues before the Court of Federal Claims, the Armed Services Board of Contract Appeals, federal district courts, the Federal Circuit, and other federal appellate courts.

In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial items and services. He handles IP matters involving government contracts, grants, Cooperative Research and Development Agreements (CRADAs), and Other Transaction Agreements (OTAs).

Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients…

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients in responding to cybersecurity incidents, including matters involving Advanced Persistent Threats targeting sensitive intellectual property and personally identifiable information. Moriah also assists clients in evaluating existing security controls and practices, assessing information security policies, and preparing for cyber and data security incidents.

As part of her litigation and investigations practice, Moriah leverages her government experience to advise clients on national security and law enforcement related compliance issues, internal investigations, and response to government inquiries.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

Hensey A. Fenton III

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development…

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development, and tax.

Another facet of Hensey’s practice involves cutting-edge legal issues in the cybersecurity space. Having published scholarly work in the areas of cybersecurity and cyberwarfare, Hensey keeps his finger on the pulse of this fast-developing legal field. His Duke Journal of Comparative & International Law article, “Proportionality and its Applicability in the Realm of Cyber Attacks,” was highlighted by the Rutgers Computer and Technology Law Journal as one of the most important and timely articles on cyber, technology and the law. Hensey counsels clients on preparing for and responding to cyber-based attacks. He regularly engages with government and military leaders to develop national and global strategies for complex cyber issues and policy challenges.

Hensey’s practice also includes advising international clients on various policy, legal and regulatory challenges, especially those challenges facing developing nations in the Middle East. Armed with a distinct expertise in Middle Eastern foreign policy and the Arabic language, Hensey brings a multi-faceted approach to his practice, recognizing the specific policy and regulatory concerns facing clients in the region.

Hensey is also at the forefront of important issues involving Diversity, Equity and Inclusion (DEI). He assists companies in developing inclusive and sustainable DEI strategies that align with and incorporate core company values and business goals.

Prior to joining Covington, Hensey served as a Judicial Law Clerk for the Honorable Judge Johnnie B. Rawlinson, United States Court of Appeals for the Ninth Circuit. He also served as a Diplomatic Fellow in the Kurdistan Regional Government’s Representation (i.e. Embassy) in Washington, DC.