May 03 2024

CIRCIA Is a Turning Point in CISA’s Cyber Watchdog Role

New cyber incident reporting rules for critical infrastructure will strengthen overall cybersecurity footing.

The Cybersecurity and Infrastructure Security Agency advanced regulations that will guide critical infrastructure companies and other organizations in required reporting of cyber breaches and ransomware incidents with its recent notice of proposed rulemaking.

These proposed rules, complying with the Cyber Incident Reporting for Critical Infrastructure Act of 2022, aim to address a number of challenges that have made improving organizations’ overall cybersecurity posture difficult.

What’s more, the CIRCIA rules come as cyberattacks continue to roil U.S. companies and their customers. UnitedHealth Group, a healthcare provider that touches 1 in every 3 patient records, announced Feb. 21 that it had been breached by an attacker. Pharmacy operations, medical claims and payment systems were impacted by the ransomware attack, unleashing a cascade of payment disruptions throughout the industry that delayed prescriptions and medical insurance claim processing.

Click the banner to read CDW’s white paper on enhancing zero trust for your agency.


Many Organizations Lack Centralized Data or a Reporting Process

The first challenge the CIRCIA rules address is a lack of centralized data.

“The biggest problem we face is a lack of metrics,” says Jim Richberg, head of cyber policy and global field CISO at Fortinet. “How big a problem is ransomware? We don’t actually know its full magnitude or impact, nor do we know what works to mitigate its impact. Without additional insights from more comprehensive data, we will remain mired in a situation where everyone has a stovepipe view.”

Another challenge is the lack of a single, organized reporting process. Without clear guidance on where to report cyberattacks and ransomware incidents, some companies and organizations may file reports with local law enforcement or an industry-focused agency, while others report to their insurance companies or aren’t required to report at all.

“CISA’s goal is to uncomplicate the cyber incident reporting process and gather information together in one place in order to share it with all,” says Sarah Cleveland, senior strategic adviser for public sector at ExtraHop.

Jim Richberg
If your supply chain gets compromised, you have to report it, even if the compromise did not cause actual damage.”

Jim Richberg Head of Cyber Policy and Global Field CISO, Fortinet

With a centralized process, CISA will take on a larger role in maintaining overall cybersecurity situational awareness.

“We may have situations where other companies or agencies are targeted by the same threat,” Cleveland says. “CISA will be positioned to provide shared information on threats. It will be able to provide assistance with mitigation. This will give a greater understanding of what needs to be done for managing and mitigating incidents.”

Federal agencies tasked with responding to cyber incidents, such as the FBI, will benefit from the proposed CIRCIA rules as well.

“Those agencies will get better and more timely data that can help them do their jobs and can potentially allow them to help victims while the crime is still ongoing,” Richberg says.

READ MORE: Zero-trust tools must work across agencies that need to share data.

Upskilling the Cyber Workforce and Other Actions Agencies Can Take

In conjunction with the proposed rules, CISA is making a budget request of $116 million in fiscal year 2025 for the CIRCIA program, including 122 full-time employees to “receive, analyze, and action reports.”

“One of the big impacts will be the upskilling of the federal cybersecurity force,” Cleveland says. “It will be more expensive to respond to incidents going forward. It will require more resources and monitoring within agencies and anything deemed critical infrastructure.”

CISA’s proposed rules will be open to public comment through June 3, allowing time for industry experts and the public to review and weigh in. Afterward, CISA will have 18 months to finalize the rules, and Congress will have 60 days for its own review.

Some details in the rules are already raising questions.

“I was surprised by the breadth of what the agency defined as critical infrastructure,” Cleveland says. “It is more broadly defined now, including commercial facilities, agriculture and financial services. It touches a lot of industries.”

DISCOVER: Robust data protection defends critical infrastructure.

“There are four types of incidents covered by these rules. The supply chain category is most surprising,” Richberg says. “If your supply chain gets compromised, you have to report it, even if the compromise did not cause actual damage. That, to me, feels really broad.”

There are many actions that federal agencies can take now to better protect themselves in the current threat environment.

“I’d start with having a solution in place to address threats at the point of infection, the endpoint. Do you have comprehensive endpoint threat responses that can use threat data and information about what is happening inside a device in real time and stop an activity that looks like wholesale encryption?” Richberg says. “Endpoint detection and response or extended detection and response solutions either stop an attack from gaining a foothold or keep damage from spreading beyond the point of infection.”

“Agencies will need to do more exercises, practicing for ransomware attacks and breaches. You should have staff go through timelines and who to report to and when,” Cleveland says. “Exercising is one of the missing pieces that agencies need to improve at. That’s exercising as a cross function of the agency, not just a cybersecurity activity or practice.”

UP NEXT: Agencies make cybersecurity a shared responsibility with preparedness exercises.

Laurence Dutton/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT