The new Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires CISA to create rules regarding cyber incident reporting by critical infrastructure organizations. The RFI and hearings precede a Notice of Proposed Rulemaking (NPRM) that CISA must publish sooner than 24 months from the enactment of CIRCIA, which the President signed into law in March. The sessions and NPRM are steps toward creating the new rule.
CISA is soliciting expert opinion on what to include in a report but is taking steps to implement the change soon. Here's what that change means for businesses in the US and what you can do about it now.
Overview of the CISA reporting rule
Owners and operators of critical infrastructure must file cyber incident reports with CISA within 72 hours. They must report ransom payments for ransomware attacks within 24 hours. Other businesses can take part voluntarily.
The CISA Director can subpoena organizations in noncompliance to compel them to provide information necessary to determine whether a cyber incident happened. The CISA Director can refer the matter to the Attorney General to bring civil action to enforce the subpoena when necessary.
CISA will share data from cyber incident reports, including defensive measures and anonymized cyber threat indicators, with other organizations. The data will inform businesses to adjust security infrastructure, monitor for specific attack PPTs, and block or remediate attacks.
What CISA's rule means for critical infrastructure businesses
CISA's rule will enforce fast reporting, which will probably move organizations to speed up investigation and response, so initial reports are timely while showing mitigating actions. The rule will likely result in frequent reporting as the broader list of incidents includes scans and attempted incidents, not just successful intrusions. Unreported incidents and slow reporting can trigger enforcement action from the CISA Director. Organizations will require incident investigation and response to yield more results than in the past.
The rule will force organizations to use every means to tighten and enforce security protocols to reduce the frequency of cyber incidents. Organizations will need additional security rules and policies to reign in attacks; additional steps to enforce those protocols will follow.
Increasing demand for effective cybersecurity will elevate cyber industry competition. Cybersecurity vendors must keep pace with their customers and the new 72-hour timetable as they aid in the investigation, response, and reporting of incidents the rule covers. The market for security analysts and related specialists will grow.
Getting ahead of CISA's reporting rules now
CISA emphasizes taking action to mitigate cyber incidents. Response actions include triggering a disaster recovery plan and hunting for network intrusions.
Response actions are challenging even without stringent time constraints. It is common practice for organizations to reset employee passwords after a cyber incident. Password resets are expensive and time-consuming.
Organizations need solutions that ease the process. After an attack, IT can run a free copy of the Specops Password Auditor to generate a password age report to see who changed their passwords. IT can use this information to force a password reset as needed for those who have not manually changed their passwords.
Password security is essential to protecting critical infrastructure
Securing passwords with policies and resets safeguards accounts and stops the spread of breaches. For example, unauthorized access to accounts enables criminal hackers to move laterally across the network. Lateral movement lets them take control of additional accounts, including admin accounts, and breach and exfiltrate customer databases and intellectual property. Check out Specops Password Policy if you're looking to beef up your Active Directory password security in order to safeguard against a breach.
Password security is essential to defending critical infrastructure against ransomware attacks. Cybercriminals infected Colonial Pipeline with ransomware in 2021 using a single compromised password.