New law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware payments

A new federal law is set to add significant reporting demands for many organizations, particularly federal agencies and businesses deemed “critical infrastructure operators.” Most notably, the Cyber Incident Reporting for Critical Infrastructure Act will require covered entities to report “substantial” cyberattacks to the government within 72 hours after confirmation, and to disclose ransomware payments within 24 hours.

These quick-turn reporting requirements will impact organizations across 16 “Critical Infrastructure” sectors, including financial services, energy, “critical manufacturing,” transportation systems, and healthcare. The bill was quickly passed amid heightened concerns that Russia might ramp up cyberattacks in retaliation for U.S. involvement in sanctions related to the invasion of Ukraine.

While full approval of the language may take some time – the current text allows a total of 42 months for rulemaking and delivery of the final legislation – it is clear that the legislation will require that covered entities continuously monitor for threats, swiftly detect and respond to incidents, and provide timely reporting on incidents and ransomware payments. To meet these requisites, critical infrastructure owners and operators will need to make sure that they have the right technologies, procedures, and adequate resources in place, along with documented and tested incident response plans and reporting processes.

The legislation

The new legislation was attached to the sweeping $1.5 trillion omnibus spending package signed into law on March 15. It was previously proposed as part of the Strengthening American Cybersecurity Act, which passed the Senate earlier this month; there it was combined with two previously considered laws, the Federal Information Security Modernization Act (FISMA) and the Federal Secure Cloud Improvement and Jobs Act, but only the critical infrastructure provision was included in the omnibus.

In addition to the critical infrastructure reporting requirements, it also requires that government agencies “enhance the quality and effectiveness of information sharing and coordination efforts”; to encourage reporting, the legislation says that incident reports will be “proprietary.”

Exact requirements are not final; they will be determined by the Cybersecurity and Infrastructure Security Agency (CISA) through a rule-making process. It’s likely that the mandates will comprise an extension of the National Institute of Science and Technology (NIST) Special Publication 800-171, as well as certain provisions from NIST SP 800-63-4 (draft), which sets forth security controls for critical infrastructure. CISA will also be responsible for harmonizing the law’s requirements and jurisdictions among federal agencies such as the FBI. 

The heavy lift

Implementing the advanced cybersecurity capabilities will be an arduous undertaking for most. The mandate to report cybersecurity incidents within 72 hours will be especially challenging; even organizations with mature cybersecurity capabilities may lack the people, technologies, and processes to deliver 72-hour reporting. A deep-seated reason is that many still consider cybersecurity an IT issue, not a core business responsibility. It’s important to remember that these protocols are necessary because they protect information, which is the new currency in today’s connected economy and global ecosystem.

Implementing the new requirements will require that organizations change how they think about cybersecurity. The rising frequency and severity of cyberattacks have become an existential threat for businesses across industries – and should be treated as such, from the board down. Most business leaders we talk to believe that a cyberattack on their organization is a matter of when, not if. The most security-conscious among them assume that they have already been compromised, and have begun exploring how to quickly identify, eradicate, and remediate cybersecurity incidents. A strong, comprehensive incident response plan is critical.

Even if remediation is swift and effective, intruders can inflict considerable damage. Compromises can go undetected for months or longer, giving intruders ample time to carry out destructive attacks. 

One thing the bill doesn’t require is that third parties disclose incidents discovered on clients’ networks, as did previous drafts. Similarly, the legislation alters earlier language that required almost all businesses – not just critical infrastructure providers – to disclose ransomware payments. 

If there’s one overarching weakness of the law, it’s that it doesn’t address protective measures, to help avoid incidents in the first place. In today’s elevated threat environment, organizations will need both defensive and proactively protective playbooks to address cyber-risks. 

It takes time to get cybersecurity ready – and right.

Overall, the legislation establishes the urgency of implementing additional cybersecurity capabilities for the nation’s critical infrastructure and federal government agencies. Yet the extended time frame for rulemaking and delivery of the final bill belies the urgency of these measures. 

The enforcement mechanisms are not especially robust. The government can issue a subpoena to organizations that fail to report incidents, and those that don’t respond to a subpoena are subject to civil action in a U.S. district court. It should be noted that a potential contempt of court penalty is not a particularly strong disincentive. 

Nonetheless, this legislation represents an important step toward protecting U.S. critical infrastructure from increasingly malicious and destructive nation-state actors. The law’s information-sharing policies will provide transparency and boost cyberthreat awareness among critical infrastructure operators and federal agencies.

Forty-two months to prepare for the legislation may seem like a long time, but now’s the time to get started. It will be a significant effort to hire and train people, implement technologies and processes, and test reporting systems. You’ll need ample time to get cybersecurity ready – and right.