On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) seeking input from stakeholders on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Signed by President Biden in March, CIRCIA requires CISA to develop and implement regulations requiring covered entities to report information about covered cyber incidents and ransom payments to CISA. As we noted in March, CISA has 24 months to publish a Notice of Proposed Rulemaking (NPRM) to the Federal Register. CISA is releasing this RFI to gather public comments prior to publishing the NPRM. While commenters can provide input on any aspect of CIRCIA, CISA is specifically seeking input on the following:
- Definitions of key statutory terms whose meaning CIRCIA left to CISA rulemaking, including what constitutes a “covered entity” and a “covered cyber incident.”
- The form, manner, content, and procedures for submission of reports required by CIRCIA.
- Areas where obligations under CIRCIA may duplicate or conflict with existing cyber reporting obligations.
- Policies and procedures, such as enforcement procedures and information protection policies, that will be required to implement CIRCIA.
Given the items that CISA is seeking specific input on, we can expect the proposed rule to provide additional clarity on who the law applies to, when reporting will be required, and the contents of any required reporting. In addition to accepting public comment, CISA is holding public listening sessions in various locations through November this year.
Companies interested in submitting a comment to CISA should reach out to one of the attorneys listed below or to the Alston & Bird attorney with whom they maintain a relationship. Written comments must be submitted by November 14, 2022 to guarantee consideration.