Learn about the extensive reporting requirements of the proposed CIRCIA rule for critical infrastructure incidents, impacting DIB contractors. Get insights on potential changes and prepare for potentially expanded reporting obligations.
Watch the Podcast
What is CIRCIA?
In response to the ransomware attack on Colonial Pipeline, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act. “CIRCIA” directs CISA to conduct rulemaking and issue a regulation establishing comprehensive cyber incident reporting requirements across the various critical infrastructure sectors.
Here is our CIRCIA primer episode.
What is the impact of CIRCIA on the DIB?
The Defense Industrial Base is designated as a critical infrastructure sector and defense contractors have had cyber incident reporting obligations pursuant to DFARS clause 252.204-7012 for many years. But CISA’s 457-page proposed rule both duplicates and expands existing DFARS reporting requirements.
Should DFARS 252.204-7012 be expanded to match CIRCIA Incident Reporting Requirements to Prevent Double-Reporting?
61% of respondents to a recent (and very scientific) LinkedIn poll think that DFARS clause 252.204-7012 incident reporting requirements should expand to match the reporting requirements outlined in the Cyber Incident Reporting for Critical Infrastructure (CIRCIA) proposed rule.
While this change would make things more efficient for defense contractors, we’re pretty sure folks are underestimating exactly how detailed a proposed CIRCIA incident report will be.
CIRCIA Reporting Requirements vs DFARS Clause 252.204-7012
DoD contractors currently have cyber incident reporting requirements when those incidents involve Controlled Unclassified Information or the systems that store, process or transmit CUI.
In contrast to CIRCIA, current requirements are much more narrowly scoped.
Whether or not CISA and DoD establish a CIRCIA reporting agreement, the existing reporting obligations under DFARS clause 252.204-7012 are "substantially different" than what CIRCIA requires.
Due to this discrepancy, DoD contractors will see expanded incident reporting requirements even if DoD and CISA reach an agreement that allows contractors to only report to a single agency.
My advice is to get familiar with the rule now and plan accordingly.
A Quick Review: DoD contractors and subcontractors are “covered entities” under the CIRCIA proposed rule therefore the requirements of the CIRCIA rule will apply to them.
From the proposed rule, a “Covered Entity” means an entity that either:
(a) Exceeds the small business size standard (according to industry NAICS codes); or
(b) Meets a sector-based criterion
In this case, the obligations imposed by DFARS clause 252.204-7012 when handling Controlled Unclassified Information constitute a sector-based criterion.
A “Covered Cyber Incident” means a “substantial” cyber incident experienced by a covered entity
Substantial cyber incident means a cyber incident that leads to any of the following:
(1) A substantial loss of confidentiality, integrity or availability of a covered entity's information system or network;
(2) A serious impact on the safety and resiliency of a covered entity's operational systems and processes;
(3) A disruption of a covered entity's ability to engage in business or industrial operations, or deliver goods or services;
(4) Unauthorized access to a covered entity's information system or network, or any nonpublic information contained therein, that is facilitated through or caused by a:
(i) Compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; or
(ii) Supply chain compromise.
Types of CIRCIA Reports and Submission Deadlines
Covered Cyber Incident
- Must report NLT 72 hours after “reasonable belief” that a covered cyber incident has occurred.
Ransom Payment
- NLT 24 hours after the ransom payment has been disbursed.
- Must report even if not a covered incident.
Covered Cyber Incident and Ransom Payment (combo)
- NLT 72 hours after
Supplemental Reports
- “Promptly” (NLT 24 hours for ransom payments even if you’ve reported a covered incident previously)
- After any substantially new or different information
- Notification that the incident has concluded (optional)
Required Information in CIRCIA Incident Reports (Boilerplate)
According to the CIRCIA proposed rule, section 226.7, covered entities must provide the following boiler-plate information to the extent such information is available and applicable to the event reported:
(a) Identification of the type of CIRCIA Report submitted by the covered entity;
(b) Information relevant to establishing the covered entity's identity, including the covered entity's:
(1) Full legal name;
(2) State of incorporation or formation;
(3) Affiliated trade names;
(4) Organizational entity type;
(5) Physical address;
(6) website;
(7) Internal incident tracking number for the reported event;
(8) Applicable business numerical identifiers;
(9) Name of the parent company or organization, if applicable; and
(10) The critical infrastructure sector or sectors in which the covered entity considers itself to be included;
(c) Contact information, including the full name, email address, telephone number, and title for:
(1) The individual submitting the CIRCIA Report on behalf of the covered entity;
(2) A point of contact for the covered entity if the covered entity uses a third party to submit the CIRCIA Report or would like to designate a preferred point of contact that is different from the individual submitting the report; and
(3) A registered agent for the covered entity, if neither the individual submitting the CIRCIA Report, nor the designated preferred point of contact are a registered agent for the covered entity; and
(d) If a covered entity uses a third party to submit a CIRCIA Report on the covered entity's behalf, an attestation that the third party is expressly authorized by the covered entity to submit the CIRCIA Report on the covered entity's behalf.
Required Information for Covered Cyber Incidents
According to the CIRCIA proposed rule section 226.8, in addition to the above information, covered entities must provide:
a) A description of the Covered Cyber Incident/Ransomware Attack, including but not limited to:
(1) Identification and description of the function of the affected networks, devices, and/or information systems that were, or are reasonably believed to have been, affected by the Covered Cyber Incident/Ransomware Attack, including but not limited to:
(i) Technical details and physical locations of such networks, devices, and/or information systems; and
(ii) Whether any such information system, network, and/or device supports any elements of the intelligence community or contains information that has been determined by the United States Government pursuant to an Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in 42 U.S.C. 2014(y);
(2) A description of any unauthorized access, regardless of whether the Covered Cyber Incident/Ransomware Attack involved an attributed or unattributed cyber intrusion,
- Identification of any informational impacts or information compromise,
- And any network location where activity was observed;
(3) Dates pertaining to the Covered Cyber Incident/Ransomware Attack, including but not limited to:
(i) The date the Covered Cyber Incident/Ransomware Attack was detected;
(ii) The date the Covered Cyber Incident/Ransomware Attack began;
(iii) If fully mitigated and resolved at the time of reporting, the date the Covered Cyber Incident/Ransomware Attack ended;
(iv) The timeline of compromised system communications with other systems; and
(v) For Covered Cyber Incident/Ransomware Attacks involving unauthorized access, the suspected duration of the unauthorized access prior to detection and reporting; and
(4) The impact of the Covered Cyber Incident/Ransomware Attack on the covered entity's operations, such as - Information related to the level of operational impact and direct economic impacts to operations;
- Any specific or suspected physical or informational impacts; and
- Information to enable CISA's assessment of any known impacts to national security or public health and safety;
(b) The category or categories of any information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person or persons; (Covered Incident Only)
(c) A description of any vulnerabilities exploited, including but not limited to the specific products or technologies and versions of the products or technologies in which the vulnerabilities were found;
(d) A description of the covered entity's security defenses in place, including but not limited to any controls or measures that resulted in the detection or mitigation of the incident;
(e) A description of the type of incident and the tactics, techniques, and procedures used to perpetrate the Covered Cyber Incident/Ransomware Attack, including but not limited to any tactics, techniques, and procedures used to gain initial access to the covered entity's information systems, escalate privileges, or move laterally, if applicable;
(f) Any indicators of compromise ... observed in connection with the Covered Cyber Incident/Ransomware Attack;
(g) A description and, if possessed by the covered entity, a copy or samples of any malicious software the covered entity believes is connected with the Covered Cyber Incident/Ransomware Attack;
(h) Any identifying information, including but not limited to all available contact information, for each actor reasonably believed by the covered entity to be responsible for the Covered Cyber Incident/Ransomware Attack;
(i) A description of any mitigation and response activities taken by the covered entity in response to the Covered Cyber Incident/Ransomware Attack, including but not limited to:
(1) Identification of the current phase of the covered entity's incident response efforts at the time of reporting;
(2) The covered entity's assessment of the effectiveness of response efforts in mitigating and responding to the Covered Cyber Incident/Ransomware Attack;
(3) Identification of any law enforcement agency that is engaged in responding to the Covered Cyber Incident/Ransomware Attack, including but not limited to
- Information about any specific law enforcement official or point of contact,
- Notifications received from law enforcement, and
- Any law enforcement agency that the covered entity otherwise believes may be involved in investigating the Covered Cyber Incident/Ransomware Attack; and
(4) Whether the covered entity requested assistance from another entity in responding to the Covered Cyber Incident/Ransomware Attack and, if so, the identity of each entity and a description of the type of assistance requested or received from each entity;
Required Information for Ransom Payment Reports
In addition to the information the in previous two sections, DoD contractors and other covered entities must provide the following information after disbursing ransomware payments:
(h) The date of the ransom payment;
(i) The amount and type of assets used in the ransom payment;
(j) The ransom payment demand, including but not limited to the type and amount of virtual currency, currency, security, commodity, or other form of payment requested;
(k) The ransom payment instructions, including but not limited to information regarding how to transmit the ransom payment; the virtual currency or physical address where the ransom payment was requested to be sent; any identifying information about the ransom payment recipient; and information related to the completed payment, including any transaction identifier or hash;
(l) Outcomes associated with making the ransom payment, including but not limited to whether any exfiltrated data was returned or a decryption capability was provided to the covered entity, and if so, whether the decryption capability was successfully used by the covered entity.
Sum IT Up Podcast
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.
