The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires the Cybersecurity Infrastructure Agency (CISA) to develop and implement incident reporting regulations for critical infrastructure entities. The proposed rule is open for public comments until July 3.
Because CIRCIA will affect a large percentage of US higher education and research institutions, the REN-ISAC is encouraging all higher education security leaders to review the CIRCIA Notice of Proposed Rulemaking, discuss the implications with your team and legal departments, and submit feedback to shape the final regulation. The REN-ISAC is collecting, compiling, and anonymizing feedback to submit to CISA before the end of the comment period (REN’s submission period has ended).
What is CIRCIA?
In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act. Enactment of CIRCIA marked an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.
According to the proposed rule “CIRCIA requires covered entities to report to CISA within certain prescribed timeframes any covered cyber incidents, ransom payments made in response to a ransomware attack, and any substantial new or different information discovered related to a previously submitted report.”
The REN-ISAC has published an abbreviated version of the CIRCIA documentation to provide a paired down overview of the proposed rule.
How does CIRCIA affect higher education?
Many higher education institutions will qualify as a “covered entity” under the CIRCIA proposed rule and are therefore subject to reporting requirements. Covered entities include
[Any] local educational agency, educational service agency, or state educational agency, as defined under 20 U.S.C. 7801, with a student population equal to or greater than 1,000 students; or [any] institute of higher education that receives funding under Title IV of the Higher Education Act, 20 U.S.C. 1001 et seq. (CIRCIA sec 226.2)
Under the proposed legislation, “a covered entity that experiences a covered Cyber Incident must report the covered cyber incident” within 72 hours of discovery. Covered incidents are defined as a “substantial cyber incident experienced by a covered entity” and leads to any of the following:
- A substantial loss of confidentiality, integrity, or availability of the entity’s information system or network.
- A serious impact on the safety and resiliency of the entity’s operational systems and processes.
- A disruption of the entity’s ability to engage in business or industrial operations or deliver goods or services.
- Unauthorized access to the entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by (i) a compromise of Cloud Service Provider, Managed Service Provider, or other third-party data hosting provider or (ii) a supply chain compromise. (CIRCIA 226.1)
Covered entities are also required to report within 24 hours any payments (money, property, or asset) that have been made in connection with a ransomware attack.
For more information, watch REN-ISAC’s recent webinar: “CIRCIA Reporting Requirements and Potential Impact on Colleges and Universities.”
What to do next?
REN-ISAC encourages all CISOs and security leaders to
- Review the proposed rule with their staff and with university counsel
- Review and update (or plan to update) any incident response plans to include CIRCIA reporting
- Coordinate with institutional leadership and the federal affairs office to record feedback
- Share feedback with the REN-ISAC (REN’s submission period has ended)
The REN-ISAC is available to any US higher education institution with questions or concerns. Contact us at soc@ren-isac.net.