Think the March 2022 Cyber Incident Reporting Critical Infrastructure Act (CIRCIA) doesn't apply to your clients' businesses because they're too small? Think again. Some 311,000 thousand ‘small entities’ are subject to proposed reporting rules and regulations under the new CIRCIA law, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said this month.
Under proposed rules, covered entities (those organizations subject to the regulation) must report major cyber incidents to the CISA within 72 hours and ransom payments within 24 hours. The regulation is unlikely to take effect until late 2025 at the earliest, and possibly not until 2026, CISA said.
Why are these important figures for MSPs and MSSPs? Because small businesses are in the wheelhouse of many MSPs and MSSPs. And, of course, many MSPs and MSSPs are themselves small businesses, making it doubly important to understand the scope and reach of the CIRCIA legislation.
While a good number of small businesses hire a dedicated IT manager, MSPs and MSSPs are often part or all of the IT strategy for small and mid-sized companies. By outsourcing the responsibility of network monitoring, IT management, and cybersecurity to a third-party provider, internal IT teams or managers at small businesses can focus on strategic initiatives and core objectives rather than getting bogged down by day-to-day IT tasks and troubleshooting.
The CIRCIA Law: Reporting Requirements, Comment Period
The CIRCIA law requires CISA to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments to the agency. CISA developed a Notice of Proposed Rulemaking (NPRM), which was published on April 4, 2024 in the Federal Register and is open for public comment until June 3, 2024.
As to the issue of timely reporting, CISA said it “recognizes that covered entities may require some limited time to conduct preliminary analysis before establishing a reasonable belief that a covered cyber incident has occurred and thereby triggering the 72-hour timeframe for reporting.”
CIRCIA is centered around the idea that required reporting will enable CISA to deploy resources to help cyber crime victims to analyze incoming data to spot trends and share information with cyber defenders to warn other potential victims.
To determine covered organizations, CISA estimated the number of small entities within each of the 280 relevant NAICS (North American Industry Classification System) codes. CISA then performed a financial analysis to assess the impacts of the rule on small entities.
Cost Analysis on the Rule's Impact on SMBs
Based on its analysis, CISA found:
- Of the estimated 316,244 covered entities, CISA estimates that 310,855 would be considered small entities, including businesses, some government agencies and organizations.
- Of the 264 NAICS codes with available revenue data, 99.2% had a revenue impact of less than or equal to 1%.
- CISA estimated that the average cost per non-covered entity would be $33.58 and the average cost per covered entity experiencing a single covered cyber incident would be $4,139.60.
Costs for covered entities will include “becoming familiar with the proposed rule, followed by the recurring data and records preservation requirements, and then reporting requirements,” CISA said.
In the NPRM, CISA said it “wants to assist small entities in understanding this proposed rule so that they can better evaluate its effects on them and participate in the rulemaking.”
Of particular note, CISA will not “retaliate against small entities that question or complain about this proposed rule or any policy or action of the CISA.”
CISA Director Calls the Rule a Game Changer
CISA director Jen Easterly, called CIRCIA a “game changer” in that it affects the “whole cyber community and people “invested” in protecting the nation’s critical infrastructure. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats,” she said in a statement. “We look forward to additional feedback from the critical infrastructure community as we move towards developing the Final Rule."
Along those lines, large entities in each of the critical infrastructure sectors are covered by the rule regardless of whether they meet certain threshold criteria. Requirements for 13 of the 16 critical infrastructure sectors are included in the proposed rule.
An Overview of the CISA Report
In a blog post, the National Law Review praised CISA for making the 400+ page report “understandable, helpful, and (gasp!) overall quite reasonable.”
Here’s a top-down look into the report from the blog:
- CISA discusses its process for determining key definitions in the rule (including approaches it considered and ultimately discarded).
- Provides an overview of current cyber incident reporting requirements in the U.S. (as part of a discussion regarding its harmonization efforts, for which a lot of us had high hopes that will not be realized).
- Gives us examples of what may and may not constitute a reportable incident under the rule (for example, short-term unavailability of a business system or temporary rerouting of network traffic, or even exploitation of a known vulnerability by a threat actor that is quickly detected and remediated, typically would not be considered reportable incidents).