U.S. Cybersecurity Agency Proposes New Rules on Breach Reporting Requirements


In a significant move to bolster national cybersecurity, the U.S. Cybersecurity and Infrastructure Agency (CISA) unveiled a set of proposed rules on breach reporting requirements on March 27, 2024.

The proposed rules, mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), are poised to introduce stricter guidelines for reporting cyber incidents affecting critical infrastructure entities across various sectors.

According to the NPRM released by CISA, covered entities would be obligated to report qualifying cyber incidents, ransom payments made in response to ransomware attacks, and any substantially new or different information discovered subsequent to a prior report submitted to CISA.

Key provisions of the proposed rules include:

  • Reporting Timeframes: Covered entities must notify CISA within 72 hours of a qualifying cyber incident and within 24 hours in case of ransom payments made following a ransomware attack.
  • Qualifying Cyber Incidents: CISA defines qualifying cyber incidents as substantial events leading to loss of confidentiality, integrity, or availability of information systems, serious impacts on safety and operational resiliency, disruptions to business or industrial operations, or unauthorized access to nonpublic information facilitated by third-party compromises.
  • Covered Entities: The proposed rules extend to entities exceeding small business size standards set by the U.S. Small Business Administration or subject to sector-specific standards proposed for critical infrastructure entities.
  • Reporting Mechanism: Covered entities are required to submit reports through a web-based form, the “CIRCIA Incident Reporting Form,” available on CISA’s website.
  • Enforcement Powers: CISA would possess enforcement authority to issue Requests for Information (RFI) or subpoenas. Failure to comply could result in referral to the U.S. Attorney General for enforcement.
  • Penalties for False Statements: Covered entities found making materially false or fraudulent statements or representations within CIRCIA reports face penalties.

The proposed rules aim to enhance cybersecurity resilience across critical infrastructure sectors, encompassing areas such as energy, healthcare, transportation, and government facilities. By establishing clearer reporting guidelines and enforcement mechanisms, CISA seeks to ensure timely and comprehensive response to cyber threats facing the nation’s vital infrastructure.

The NPRM is set to be officially published on April 4, 2024, with a public comment period extending until June 3, 2024.

Stakeholders and industry experts are anticipated to provide feedback, shaping the final regulatory framework for breach reporting requirements in the United States.