On March 15, 2022, US President Joe Biden signed into law the Consolidated Appropriations Act of 2022, an omnibus bill covering spending for agriculture, commerce, science, the Department of Defense, and several related agencies. The bill will give approximately $1.5 trillion in budgeting power to those agencies and departments, as well as money for Ukraine. For our purposes, the primary focus of this post will be the “Division Y – Cyber Incident Reporting for Critical Infrastructure Act of 2022.”
What Happened
House Resolution 2471, the ”Consolidated Appropriations Act of 2022”, was signed into law by President Biden after over a year of Senate and House debates and changes. The President signed the bill into law on March 15 of 2022, and the bill became Public Law Number 117-103. Division Y of the new law specifically relates to the reporting of cyber incidents and ransomware payments made by certain entities or their third-party affiliates. It also includes vulnerability notifications from the Cybersecurity and Infrastructure Security Agency (CISA), and the process moving forward that will determine how these actions will be codified and managed.
How will this Affect You?
If you are a Covered Entity, as defined in Presidential Policy Directive 21, then you will be responsible for the reporting of a substantial cyber incident as defined in the final rule created by the Director of the Cybersecurity and Infrastructure Security Agency (CISA).
Those entities include the following agencies, groups, and organizations:
- Federal
- State
- Local
- Tribal
- Territorial
- And public or private owners of critical infrastructure.
Examples of public owners would be major power providers, Internet service providers, railroad lines, or perhaps even certain other providers of necessary items.
Any organization that is a covered entity as noted above will be required to notify the appropriate agency that an incident has occurred, as well as provide information related to the ransom paid. Not doing so could result in litigation and/or financial penalties.
Also, if you use a third-party provider, such as a Managed Service Provider (MSP), for your cybersecurity, then they would be responsible to notify you of an incident, any payment, and your obligation to report it. They would not be responsible, at this time, for directly reporting either the incident or payment to the agency.
Part of this legislation is the final rule, which will define the above, as well as many other items such as what information shall be included in reporting, where to report, how quickly to report, and more. The final rule should be proposed by notice no later than 24 months after the enactment of this law, and within 18 months after that, the proposal should be finalized. This is to ensure that the process is defined and codified in a manner that all affected parties will be able to understand.
Reporting timeline
When a cyber incident occurs, there is always some measure of information that must be reported to someone, even if only within your organization. What you know may be limited, or of questionable value, but reporting that the incident has occurred, when it occurred, and any information on what the incident entailed, is important.
When you or your organization experiences a covered cybersecurity incident:
- You must report the incident to the CISA no later than 72 hours after the incident occurred or was discovered.
- If you make a ransom payment, you must report the details of the payment within 24 hours after it has been paid.
- You must continue to update your reporting as required by the CISA, if a substantial change or different information becomes available, or if you are requested to provide further information or detail.
Know too that you may, if you so choose, report incidents that are not covered under this law, but where you report that information will be different than that of a covered incident. You may also include more information than is strictly required, but should be careful not to include any information that is personally identifiable information (PII), sensitive personally identifiable information (SPII), or any information of a sensitive nature.
Other items of interest in this Act
The Act also includes:
- The establishment of a Cyber Incident Reporting Council – comprised of intergovernmental agencies such as the Attorney General, the National Cyber Director, and others.
- Information sharing amongst agencies and outside organizations – protecting information submitted in a report or supplemental reports.
- If reporting is not accomplished promptly as required, subpoenas and court actions may be used to garner the information required.
- The information required in an incident report is not yet defined but these measures are for those entities who do not report the breach within the allotted time or do not respond to inquiries concerning the breach quickly enough.
- Wording that allows you to report through those already mandated avenues, without also reporting to CISA – if the information you are reporting is essentially the same, you don’t have to report it more than once.
- A vulnerability notification system managed by the CISA – vulnerabilities will be sent to appropriate agencies, organizations, and groups by CISA.
- Those notified, except where required by law, will NOT be required to do anything with vulnerabilities that are noted. It is simply a notification process.
- It is just best practice to check for those vulnerabilities within your organization and mitigate or remediate them where possible.
What should you do
The Cyber Incident Reporting for Critical Infrastructure Act section of the Consolidated Appropriations Act is approximately 21 pages long by itself, and of course, is a legal document. If you have a legal department, make sure they review this legislation. If you don’t have a legal team,, find a representative or law firm that is knowledgeable and capable within the cybersecurity realm and make sure you know what is required of you, your affiliates, and your providers.
Northstarr Recommendations
As a Managed Service Provider, it is our responsibility to know and understand the laws governing your data, how it is used, and how it is stored. We pride ourselves on providing the most up to date information to our clients, and ensuring that their data is protected appropriately. Stop by our website and sign up for a free security assessment, or call us at 1+ (888) 767-2210 to set up an appointment to speak with a technology professional today.