In a move to bolster cybersecurity measures across the United States, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law in March 2022. The legislation marks a significant development in the state’s response to cyber incidents targeting its vital infrastructure.
The signing of the CIRCIA ushers in a new era of enhanced cybersecurity strategies and initiatives nationwide. The primary objective of the legislation is to facilitate rapid response and effective coordination in the wake of any cyber incidents that target fundamental national infrastructure.
Under CIRCIA, fresh cyber incident reporting requirements will be formed. The specifics of this mechanism are as yet not detailed explicitly in the current law text. However, the implication is a new emphasis on swift data collection and information sharing to manage and mitigate any cyber threats or incidents.
The regulatory body responsible for drafting the detailed provisions of the law is the Cybersecurity and Infrastructure Security Agency (CISA). It is foreseen that CISA will issue a Notice of Proposed Rulemaking (NPRM) between late 2023 and early 2024. This notice will invite feedback and further input on the draft provisions from industry stakeholders, public citizens, and professional communities.
As the NPRM is yet to be issued, it remains unclear which sectors will be deemed as ‘critical’ and thus fall under the new reporting requirements. Legal professionals and companies in the potentially affected industries might wish to commence their preparations and review current cyber risk management strategies to effectively respond to the NPRM when it is published.
To follow updates on the further development of this important piece of legislation, refer to analysis provided by leading law firms such as Lowenstein Sandler LLP.