View Rule
View EO 12866 Meetings | Printer-Friendly Version Download RIN Data in XML |
DHS/CISA | RIN: 1670-AA04 | Publication ID: Fall 2024 |
Title: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements | |
Abstract:
The Cybersecurity and Infrastructure Security Agency (CISA) will finalize regulations to implement certain aspects of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Specifically, CIRCIA directs CISA to develop and implement regulations requiring covered entities to submit reports to CISA regarding covered cyber incidents and ransom payments. CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the date of enactment of CIRCIA as part of the process for developing these regulations. CISA previously issued a Request for Information on September 12, 2022, and held a series of listening sessions seeking public input on potential aspects of the proposed regulation prior to publication of the NPRM. On April 4, 2024, CISA published the NPRM with a 60-day open comment period to solicit public feedback on the proposed regulations. On May 6, 2024, CISA extended the public comment period for an additional 30 days ending the comment period on July 3, 2024. |
|
Agency: Department of Homeland Security(DHS) | Priority: Section 3(f)(1) Significant |
RIN Status: Previously published in the Unified Agenda | Agenda Stage of Rulemaking: Final Rule Stage |
Major: Yes | Unfunded Mandates: No |
CFR Citation: 6 CFR 226 | |
Legal Authority: 6 U.S.C. 681 et seq. |
Legal Deadline:
|
|||||||||||||||||||||
Statement of Need: The Cybersecurity Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) directs CISA to develop and implement regulations requiring covered entities to submit reports to CISA regarding covered cyber incidents and ransom payments. CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the date of enactment of CIRCIA and to publish a final rule 18 months after publication of the NPRM. CISA previously issued a Request for Information on September 12, 2022, and held a series of listening sessions seeking public input on potential aspects of the proposed regulation prior to publication of the NPRM. |
|||||||||||||||||||||
Summary of the Legal Basis: This regulation is statutorily mandated by 6 U.S.C. 681 et seq. |
|||||||||||||||||||||
Anticipated Costs and Benefits: As CISA has already begun making investments to operationalize the CIRCIA program in anticipation of the publication of the Final Rule in 2025, the Preliminary RIA for the NPRM presents an 11-year period of analysis with government costs for the two years prior to publication of the CIRCIA Final Rule included in the total cost of the proposed rule. Based on the primary estimates for industry’s cost of $1,444.5 million, and an estimated Government cost of $1.175.3 million, CISA estimates an 11-year undiscounted combined cost to industry and government of $2.6 billion. Discounted at 2%, the estimated 11-year cost of this proposed rule is $2.4 billion, with an annualized cost of $244.6 million.
Qualitative benefits include (a) improved incident reporting and response and (b) improved cybersecurity posture through improved ability to prevent or mitigate events through information sharing, early warning, threat analysis, and incident response. The preservation of data and records in the aftermath of a Covered Cyber Incident serves a number of critical purposes, such as supporting the ability of (a) analysts and investigators to understand how a cyber incident was perpetrated and by whom and (b) law enforcement to capture and prosecute perpetrators of cyber incidents and recover ill-gotten proceeds from the criminal activity. |
|||||||||||||||||||||
Timetable:
|
Regulatory Flexibility Analysis Required: Undetermined | Government Levels Affected: Undetermined |
Federalism: No | |
Included in the Regulatory Plan: Yes | |
RIN Information URL: https://www.regulations.gov | Public Comment URL: https://www.regulations.gov |
RIN Data Printed in the FR: No | |
Agency Contact: Todd Klessman CIRCIA Rulemaking Team Lead Department of Homeland Security Cybersecurity and Infrastructure Security Agency CISA - CHR Mailstop 0609, 1310 N Courthouse Road, Arlington, VA 20598-0609 Phone:202 964-6869 Email: circia@cisa.dhs.gov |