What CISA Wants Critical Infrastructure Partners to Report on Cyber Incidents

enjoynz/Getty Images

A new guide provides clues into how the agency might be thinking of crucial details, such as what should count as an “incident” under a new law.

As it embarks on a complicated rulemaking process to implement the new cyber incident reporting law, the Cybersecurity and Infrastructure Security Agency has published a quick guide of what kind of incidents critical-infrastructure entities should be sharing with the government, and how.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022—which became law last month as part of an overdue spending package amid a sense of urgency surrounding Russia’s invasion of Ukraine—gives CISA up to 3.5 years to finalize rules that will settle essential questions about the law’s applicability. For example, the rules will aim to clarify what kinds of “incidents,” and “entities” should be covered by CISA’s 72-hour reporting requirements—or 24-hour requirements in the case of ransomware.

“In accordance with CIRCIA, CISA will now undertake a rulemaking process to implement the statutory requirements,” the guide reads. “In the interim, CISA continues to encourage our stakeholders to voluntarily share information about cyber-related events that could help mitigate current or emerging cybersecurity threats to critical infrastructure.”

According to the guide out this month, which is aimed at critical infrastructure owners and operators, as well as federal, state, local, territorial and tribal government partners, the “types of activity” that should be shared with CISA include: “unauthorized access to your system; denial of service attacks that last more than 12 hours; malicious code on your systems, including variants if known; targeted and repeated scans against services on your systems; repeated attempts to gain unauthorized access to your system; email or mobile messages associated with phishing attempts or successes; [and] ransomware against critical infrastructure,” with instructions to “include variant and ransom details if known.”

In addition to highlighting a standard incident-reporting form, CISA noted priorities for entities to include when reporting the information. Those are: “incident date and time; incident location; type of observed activity; detailed narrative of the event; number of people or systems affected; company/organization name; point of contact details; severity of event; [and the] critical infrastructure sector if known.”

The agency stressed the importance of including full contact information so CISA can take appropriate action. 

“When cyber incidents are reported quickly, CISA can use this information to render assistance and provide a warning to prevent other organizations and entities from falling victim to a similar attack,” the guide said.