Making Sense of Proposed CIRCIA Incident Reporting Rules

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), signed into law in March 2022, requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring certain critical infrastructure providers to report “covered” cybersecurity incidents to CISA within 72 hours after the incident occurred. Examples of covered incidents include a breach of a covered entity's network or a disruption to a covered entity’s ability to carry out operations. Covered entities must also report ransomware payments to CISA within 24 hours, unless the payment accompanied an incident, in which case the 72 hour rule applies.

The purpose of the reporting requirement is to enable CISA to quickly aid victims of cybersecurity attacks, analyze trends, and share intelligence with network defenders.

CISA is currently reviewing feedback on the proposed rules received during the public comment period that closed on July 3, 2024. The final rule is expected to be published no later than Fall 2025. While the election of Donald Trump to a second term as U.S. President has raised questions about the future of both CISA and CIRCIA, ExtraHop provides the following overview of what CIRCIA currently entails.

What Is a Covered Entity Under CIRCIA?

CIRCIA applies to entities in 16 critical infrastructure sectors. Entities that meet one or more of the proposed criteria are considered covered entities, regardless of the industry the entity considers itself part of. Small businesses, as defined by the Small Business Administration, are exempt from the reporting requirements.

A significant number of companies that produce IT hardware and software will be required to report under the criteria for the IT sector, regardless of their size. IT hardware and software companies that work with the Federal government will be required to report, as will those whose products or services rely on or control privileged access, are used in operational technology (OT), or are related to domain name services.

What Is a Covered Cyber Incident Under CIRCIA?

Covered entities must report any “substantial cyber incident” they experience. CISA defines a substantial cyber incident as one that leads to one of the following impacts:

• Substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network
• Serious impact on the safety and resilience of a covered entity’s operational systems or processes
• Disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services
• Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated or caused by a
  • Compromise of a cloud service provider, managed service provider, or other third party data hosting provider
  • Supply chain compromise

Covered entities must also report any ransomware payments, which are defined to include the transfer of any money, property, or asset (including virtual currency, like Bitcoin) delivered in connection with a ransomware attack.

What Must CIRCIA Reports Contain?

Covered cyber incident reports must contain specific information about the incident, to the extent that it is applicable and available, so that CISA can use this information to provide assistance to the affected entity and help other organizations prevent similar incidents. These specifics include any information related to the identity of the perpetrator, a description of the incident (including impacts, vulnerabilities exploited, indicators of compromise, TTPs used, etc.), and any mitigation and response activities undertaken by the covered entity.

Reports involving a ransomware payment must include the ransom demand and payment details, including the instructions and amount demanded.

Since new information often comes to light as an investigation progresses, CISA also provides a mechanism to provide updates through supplemental reports. These reports can contain any substantial new or different information, notice of any ransoms paid after the submission of an initial report, or a notification that a covered cyber incident has concluded.

Covered entities must also preserve certain data and records related to the incident for a minimum of two years from the date the latest report was submitted. Data preservation must begin on the date the entity reasonably believes that the covered event occurred, or the date on which a ransom payment was made, whichever is earlier.

How RevealX Can Help Organizations Meet CIRCIA Reporting Requirements

Meeting the rigorous requirements of CISA’s reporting obligations will require organizations to quickly investigate incidents to determine if they are substantial by the mandated deadlines. RevealX provides rich information about network traffic flows, devices, the payloads of packets, and more that enable organizations to understand the scope, impact, and potential substantiality of an incident at speed.

By combining full packet capture (PCAP) and analysis with SSL and TLS 1.3 decryption capabilities, RevealX provides organizations with the ground truth about what’s happening on their network, what devices are communicating with each other, the data being transmitted, and more. Decryption is critical for defenders because threat actors frequently use encrypted channels to evade detection, and they often encrypt data before they exfiltrate it during a ransomware attack. RevealX enables security teams to see if encrypted data or traffic contains personally identifiable information or other sensitive data that could affect the substantiality of an incident.

Other network detection and response (NDR) solutions that don’t capture full packets, that only use NetFlow data, or that don’t decrypt traffic can’t provide organizations with the same level of detailed, accurate data that RevealX can. Analysis of packet headers and other metadata from NetFlow sensors can only confirm an attack; it cannot reveal the truth about the attack chain, the TTPs the threat actor used, what was compromised, and whether the breach is substantial.

RevealX takes advantage of real-time stream processing and cloud-scale machine learning to provide these essential detection and investigation capabilities at unmatched speed and scale. Full PCAP analysis and decryption used to be out of reach for many organizations, but the architecture and technical capabilities underpinning RevealX have made it highly efficient and accessible to organizations of all sizes that need to comply with CIRCIA and other cyber incident reporting requirements.

Download our e-book for best practices from experienced CISOs on how to communicate with executives in the aftermath of a breach.