TheCorporateCounsel.net

On April 4, 2024, the Cybersecurity Infrastructure and Security Agency (“CISA”) issued a proposed rule to implement the reporting requirements imposed by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The proposed rule would impose cyber incident & ransom payment reporting obligations on “covered entities”, and this Venable memo says it casts a very wide net:

The regulation would encompass a wide range of “covered entities” in critical infrastructure sectors. Importantly, CISA makes clear that “covered entities” would be broader than owners and operators of critical infrastructure systems and assets. Instead, entities that are active participants in critical infrastructure sectors may be considered “in the sector,” even if the entity itself is not critical infrastructure. [Sec. IV.B.i] CISA welcomes your organization’s outreach if you are unsure whether you are part of a critical infrastructure sector. [Sec. IV.B.ii]

To establish what qualifies as “critical infrastructure sectors,” CIRCIA draws from Presidential Policy Directive 21 (PPD-21). [Sec. IV.B.i] PPD-21 enumerates 16 sectors, encompassing services across large swathes of the economy. The critical infrastructure sectors are 1) Chemical, 2) Commercial facilities, 3) Communications, 4) Critical manufacturing, 5) Dams, 6) Defense industrial base, 7) Emergency services, 8) Energy, 9) Financial services, 10) Food and agriculture, 11) Government facilities, 12) Healthcare and public health, 13) Information technology, 14) Nuclear reactors, materials, and waste, 15) Transportation systems, and 16) Water and wastewater systems.

Umm, that’s a whole lot of sectors! CISA’s definition of “critical infrastructure sectors” kind of reminds me of James Joyce’s famous definition of the Catholic Church – “here comes everybody.” Anyway, the memo says that the comment period will expire on June 3, 2024 and CISA expects to have a final rule in place in early 2026.

– John Jenkins