Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Threat Landscape
Vulnerabilities

A year after CIRCIA passage – what has been done so far, and what remains to be done

March 27, 2023
A year after CIRCIA passage - what has been done so far, and what remains to be done

It’s been a year since U.S. President Joe Biden​ signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law, a move that has proven crucial for enhancing cybersecurity across the nation. While those familiar with CIRCIA might think first of its regulatory requirements, there are also critical requirements that are more operational. 

As an agency grounded in collaboration and coordination, Cybersecurity and Infrastructure Security Agency (CISA) has worked hard to ensure it hears from the American people, critical infrastructure owners and operators, and other cybersecurity community members before developing proposed regulations.

One of the most important features of CIRCIA is that it improves the capacity of the CISA to use cybersecurity incidents and ransom payment data reported to the agency. The move helps to identify trends in real-time, close crucial information gaps, swiftly deploy resources to assist entities suffering from cyberattacks and share data to warn other potential victims.

“In accordance with the law, CISA and the Federal Bureau of Investigation (FBI) established the Joint Ransomware Task Force (JRTF) in September 2022 to coordinate a nationwide campaign against ransomware attacks,” Brandon Wales, executive director at CISA, wrote in a recent blog post. “In addition, CISA established the Ransomware Vulnerability Warning Pilot (RVWP) Program in January 2023 to identify the most common security vulnerabilities used in ransomware attacks and to identify information systems that already contain these vulnerabilities. Together, JRTF and RVWP are making Americans safer and better equipped to handle cyber incidents.”

Wales added that in addition to proactively seeking out vulnerabilities, entities that experience cyber incidents must report them. If incidents are not reported, “we will collectively continue to suffer from a lack of certainty around the depth and breadth of the threat of cyber threat activity to America’s critical infrastructure.”

Reporting cyber incidents is so vitally important that CIRCIA established mandatory reporting requirements for covered entities that have experienced a covered cyber incident or made a ransom payment that will be implemented through regulation, Wales said. “CISA is currently working in accordance with the timeline provided by CIRCIA to develop thoughtful regulations that will become effective after a final rule is published.”

Looking ahead, CISA is required by CIRCIA to publish a Notice of Proposed Rulemaking by March next year and open it for public comment. Last September, the CISA issued a 60-day Request for Information (RFI) soliciting public input on approaches to implementing the cyber incident reporting requirements. The move to receive feedback from the public comes as CISA develops proposed regulations following the passage of the CIRCIA Act.

Agency staff also made ten stops from coast to coast to host in-person listening sessions and published the RFI to solicit written comments. “We are grateful to those who attended the in-person sessions and the approximately 130 individuals and organizations who submitted written comments in response to the RFI. Together, this feedback is helping us implement the legislation in the most effective way possible to protect the nation’s critical infrastructure,” Wales said.

During that same time, CISA hosted 17 virtual, sector-specific listening sessions, including one for each of the 16 critical infrastructure sectors. These listening sessions provided additional opportunities for industry partners to share their perspectives on potential approaches to implementing CIRCIA’s regulatory requirements. 

Wales confirmed that CISA has also been consulting closely with federal partners, including the sector risk management agencies (SRMAs), the Department of Justice (DoJ), and many other federal departments and agencies that have a role in cyber incident reporting. “CISA is considering the inputs received through these consultations as we develop the proposed regulations and look for ways to harmonize CIRCIA’s requirements with other existing cyber incident reporting regulatory requirements.” 

Wales noted that “we encourage all critical infrastructure owners and operators to voluntarily share information on cyber incidents, phishing attempts, malware, and vulnerabilities, to help prevent other organizations from becoming victims to similar incidents,” despite these reporting regulations only applying to covered entities and only to covered cyber incidents and ransom payments.

Speaking at an appearance last week before the Economic Club of New York, Jen Easterly, CISA director, said that U.S. corporate leaders need to embrace cybersecurity as an issue of central importance to the success of their businesses. She acknowledged that “this is not an issue the government can fix on its own, but businesses will need to play an important role in solving.” 

Earlier this month, the U.S. administration rolled out its National Cybersecurity Strategy to reimage cyberspace and shift the cybersecurity burden to technology providers. The document imposes additional mandates on organizations that control the majority of the nation’s digital infrastructure with an enhanced governmental role in upsetting hackers and state-sponsored entities, recognizing that cybersecurity regulations must be calibrated to meet the needs of national security and public safety.

As part of a larger effort by the U.S. administration to improve cyber and technology governance, the National Cybersecurity Strategy sets its eyes on bolstering security, and resilience across critical infrastructure installations, increasing accountability for tech companies, boosting privacy protections, and ensuring fair competition online. The initiative will address cyber threats and make the digital ecosystem defensible, resilient, and values-aligned.

Just last week, CISA published stakeholder-based updates to its Cybersecurity Performance Goals (CPGs) in response to feedback received directly from the critical infrastructure community. These CPGs have been reorganized, reordered, and renumbered to align closely with NIST Cybersecurity Framework functions to help organizations use the CPGs to prioritize investments as part of a broader cybersecurity program built around the CSF.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation