CISA Cyber Incident Reporting Requirements 2024

Here's what you need to know about CISA's new cyber incident reporting rules:

• Who: Critical infrastructure organizations in sectors like healthcare, energy, finance
• What: Report major cyber incidents and ransomware payments
• When:
  • Cyber incidents: Within 72 hours
  • Ransom payments: Within 24 hours
• How: Via web form, CISA portal, secure email, or phone hotline

Key points:

• Applies to incidents that significantly impact operations or data
• Penalties for non-compliance include fines and legal action
• CISA uses reports to analyze threats and improve cybersecurity

Report Type	Deadline	What to Include
Cyber Incident	72 hours	Affected systems, impact, attack details
Ransom Payment	24 hours	Payment info, attacker details

Companies should update incident response plans, train staff, and set up processes to detect and report quickly.

Related video from YouTube

CISA's Cyber Incident Reporting Rules

CISA's new rules for reporting cyber incidents are part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). These rules aim to improve national cybersecurity by requiring quick reporting of major cyber incidents.

Who Needs to Report

The rules apply to key infrastructure sectors:

• Healthcare
• Energy
• Manufacturing
• Finance
• Water and power
• Transportation

CISA will choose which companies must report based on how their failure could affect national security, the economy, or public health.

What Incidents to Report

Companies must report:

1. Big cyber incidents
2. Ransomware payments

A "big" incident means someone got in without permission and caused major problems or downtime. Small issues, like failed phishing attempts, don't need to be reported.

Report These	Don't Report These
Large data breaches	Small phishing attempts
Ransomware attacks	Failed break-in tries
DDoS attacks that cause big problems	Short service outages
Getting into important systems without permission	Normal virus detections

When to Report

The new rules set clear deadlines:

• Big cyber incidents: Within 72 hours of thinking an incident happened
• Ransom payments: Within 24 hours of paying

Companies must also quickly send updates if they learn new important information about the incident.

These deadlines help CISA get information fast to check threats and plan responses. Following these reporting times is key for keeping the country's cybersecurity strong.

Organizations Required to Report

Qualifications for Reporting

CISA will choose "covered entities" that must follow CIRCIA's rules for reporting cyber incidents and ransomware payments. These may include organizations in key sectors like:

• Chemical
• Manufacturing
• Health care
• Defense contracting
• Energy
• Financial
• Nuclear
• Transportation

CISA will pick these entities based on:

1. How they might affect national security, the economy, or public health if attacked
2. How likely they are to be targeted by hackers
3. How they could disrupt other key systems if compromised

CISA plans to choose these entities early on, before asking for public input.

Different Rules by Industry

While CIRCIA sets general rules, each industry might have its own specific requirements. CISA will likely consider the unique risks in each sector.

Industry	Possible Specific Rules
Energy	Report issues with control systems
Financial	Focus on data breaches
Healthcare	Protect patient data and medical devices
Transportation	Report supply chain problems

These industry-specific rules will help address the most important cyber risks in each area.

Who Doesn't Have to Report

Not all organizations need to report cyber incidents. Those who might not have to include:

1. Organizations outside key sectors
2. Smaller companies in key sectors that don't meet CISA's criteria
3. Federal agencies already reporting under FISMA
4. Groups that have sent a similar report to another federal agency

Even if not required, CISA still encourages all organizations to report cyber incidents voluntarily. This helps improve overall cybersecurity awareness and response.

What Counts as a Reportable Incident

Definition of 'Covered Cyber Incident'

A covered cyber incident is a big security problem that affects an organization's computer systems or networks. It includes:

1. Major loss of data privacy or system control
2. Big impact on safety or normal operations
3. Stopping business activities or service delivery
4. Someone getting in without permission through:
   • Cloud services
   • Managed service providers
   • Other data hosting companies
   • Supply chain issues

This only applies to illegal acts, not planned security tests.

When to Report an Incident

Type of Incident	Reporting Deadline
Covered cyber incidents	Within 72 hours of believing it happened
Ransom payments	Within 24 hours of paying

Companies should report quickly after checking the problem. This usually takes hours, not days.

Examples of Reportable Incidents

Here's what to report and what not to report:

Report These	Don't Report These
Long service outages from attacks	Short website downtime
Core systems locked by hackers	Virus caught by antivirus software
Big increase in possible hazardous material release	Small business system problems
Power grid system hacks	One user's password stolen (if backups exist)
911 call system problems	Short non-critical system outages
Long downtimes from security holes
Ransomware on control systems
Hacks through fake software updates
Breaches using stolen service provider logins
Stealing sensitive data on purpose

This list helps companies know what CISA considers important to report.

How to Report Incidents

Ways to Submit Reports

CISA offers several ways to report cyber incidents:

Method	Description
Web form	Main way to report - "CIRCIA Incident Reporting Form"
CISA portal	For organizations with existing access
Secure email	For those who can't use the web form
Phone hotline	For urgent situations needing quick help

Choose the best method based on your situation and how urgent the incident is.

Information to Include

When reporting, provide these key details:

Information	What to Include
Report type	Cyber incident, ransom payment, or both
Company info	Legal name, other names, address, website
Contact details	Phone numbers and emails for follow-up
What happened	Affected systems, networks, devices, locations
Tech details	How attackers got in, security measures, attack methods
Effects	How it impacted operations, data, and business
When it happened	Best guess of when the incident occurred
Signs of attack	Any clues about the malicious activity
Attacker info	Details about who might have done it, if known

Giving complete information helps CISA understand and respond to the situation better.

Extra Documents Needed

CISA might ask for more items:

1. Malware samples: Copies of any harmful software found
2. Log files: Records from affected systems and networks
3. System copies: Images of affected computers for analysis
4. Incident reports: Any assessments done by your team or outside experts
5. Fix-it plans: Steps taken to solve the problem and prevent future issues

Be ready to send these extra materials quickly if CISA asks for them. This helps them analyze and respond to the incident more effectively.

Reporting Deadlines

Time Limit for First Report

CISA has set clear deadlines for reporting cyber incidents and ransom payments:

Report Type	Deadline
Cyber Incident	72 hours
Ransom Payment	24 hours

For cyber incidents, the 72-hour countdown starts when a company thinks an incident has happened. For ransom payments, the 24-hour timer begins after paying.

Follow-up Report Rules

Companies must send more reports when they learn new things:

• Tell CISA about any big changes or new information quickly
• Keep CISA updated on how the incident is going
• Share more details as they find out during their checks

This helps CISA stay up-to-date and respond better to cyber threats.

Penalties for Late Reports

While CISA hasn't spelled out exact penalties for late reports, not following the rules can cause problems:

Possible Consequences	Description
Fines	CISA might charge money for late reports
Legal Action	CISA can use the law to make companies share information
Government Involvement	If a company keeps breaking rules, CISA might tell the Attorney General

To avoid these issues, companies should:

• Set up ways to report quickly
• Make sure everyone knows the rules
• Practice reporting to be ready

sbb-itb-ea3f94f

Exceptions to Reporting Rules

When Reports Can Be Delayed

CISA allows delays in reporting under these conditions:

• Need for quick analysis to confirm a cyber incident
• Ongoing incident where reporting might slow down response
• More time needed to gather correct information

Companies should do this analysis fast, usually in hours, to meet the 72-hour deadline.

Other Ways to Report

CISA offers different reporting methods:

Method	Details
Web Form	Main way to report (CIRCIA Incident Reporting Form)
Other Approved Ways	Extra methods allowed by CISA's director
Combined Report	One report for both cyber incident and ransom payment

The combined report option makes it easier when both apply.

Reporting to Other Agencies

CISA can accept reports sent to other federal agencies:

1. Similar Reports: If a company already sent a like report to another agency, CISA might accept it instead of a new one.

2. Agency Agreements: CISA will work with other agencies to accept their reports if:

• The agency asks for like info in a similar time
• The agency agrees to give CISA the report on time

3. FISMA Reports: Federal agencies that report under FISMA might not need to report again under CIRCIA.

These rules help cut down on extra work while making sure CISA gets important info quickly.

After Reporting an Incident

How CISA Handles Reports

CISA follows these steps when processing incident reports:

1. Check Reports: CISA looks at reports sent through their web form or other approved ways.

2. Combine Data: They put together info from different reports to get a full picture of cyber threats.

3. Study the Data: CISA experts look for patterns, check how well security measures work, and learn about risks to key systems.

4. Share Findings: CISA tells other government agencies and security groups what they've learned to help improve cybersecurity.

Using Reported Information

CISA uses the reported info in these ways:

Use	What It Means
Find Patterns	Spot new cyber threats
Make Threat Info	Create useful info about threats for others
Help with Attacks	Make better plans to deal with cyber attacks
Improve Safety	Create better ways to protect against attacks
Change Rules	Help make new cybersecurity rules

This helps make the country's cyber defenses stronger.

Next Steps and Investigations

After looking at reports, CISA does these things:

1. Ask for More Info: If they need to know more, CISA might ask companies for extra details.

2. Keep Records: Companies must save data about the incident for at least two years.

3. Work with Others: CISA teams up with groups like the FBI to look into big problems.

4. Tell People What's Happening: Every three months, CISA shares what they've learned about cyber threats.

5. Get Better: CISA uses what they learn to make their own work better and update advice for keeping important systems safe.

Protecting and Using Reported Data

Keeping Reports Safe

CISA works hard to keep cyber incident reports secure. They use:

• Safe ways to send reports
• Locked storage for data
• Limits on who can see reports
• Regular checks on safety systems

These steps help CISA keep information private and build trust with those who report.

Rules for Sharing Information

CISA follows strict rules when sharing report data:

Rule	Description
Remove names	Take out details that could identify who reported
Share only when needed	Give info just to important groups
Control who gets info	Carefully manage who sees threat details
Follow laws	Make sure sharing follows privacy rules

These rules help CISA share useful info without putting reporters at risk.

How CISA Uses Report Data

CISA uses the data from reports to make cybersecurity better:

Use	What It Means
Find patterns	Spot new cyber threats
Check weak spots	See how well safety measures work
Help quickly	Send help to those under attack
Share warnings	Tell others how to stay safe
Make better rules	Create new ways to protect systems

Consequences of Not Reporting

How Rules Are Enforced

CISA can take these steps if a company doesn't report:

1. Ask for Info: CISA may request details about a possible unreported incident.

2. Legal Order: If a company doesn't answer, CISA can make them share info by law.

3. Tell Others: CISA might ask the Department of Homeland Security or Attorney General to step in.

Possible Fines and Other Penalties

Not following CISA's rules can lead to:

Penalty	What It Means
Money Fines	CISA can charge fees
Legal Action	The Attorney General might sue
Criminal Charges	Serious cases could go to court
Lost Contracts	Companies might not get government work

Companies might also lose trust from customers and partners.

How to Challenge Penalties

If a company gets in trouble, they can:

1. Ask CISA to Check Again: Request CISA to look at their decision one more time.

2. Go to Court: If talking to CISA doesn't work, the company can ask a judge to decide.

3. Show They've Improved: Tell CISA how they've fixed their reporting problems.

Companies should talk to a lawyer to help them challenge penalties the right way.

Getting Ready for New Rules

Steps to Follow Rules

To get ready for CISA's new cyber incident reporting rules, companies should:

1. Check if the rules apply to them
2. Update their incident response plan
3. Set up ways to keep records for over two years
4. Practice responding to fake cyber attacks
5. Keep up with CISA's latest info

Setting Up Internal Processes

Companies need good internal processes to meet CISA's rules:

Process	Description
Quick detection	Set up tools to spot cyber problems fast
Clear reporting steps	Make a plan for collecting and sending info to CISA on time
Good communication	Set up ways for IT, security, legal, and bosses to talk quickly
Data storage	Keep important info for as long as CISA says
Regular checks	Look at how well your processes work and fix any problems

Training Staff on Reporting

Teaching staff about the new rules is key:

1. Tell everyone in the company why reporting cyber incidents matters
2. Give special training to IT, security, and legal teams on what CISA needs
3. Practice responding to fake cyber attacks often
4. Write down clear steps for reporting and share them with staff
5. Keep learning about CISA's rules and update your training

Conclusion

Main Points to Remember

• Tell CISA about cyber problems quickly using their forms or email (report@cisa.gov)
• In your report, include:
  • When and where it happened
  • What kind of problem it was
  • What systems were affected
  • How bad the problem is
  • Who to contact for more info
• CISA uses these reports to:
  • Find patterns in attacks
  • Help stop future problems
  • Keep important systems safe
• Quick reports help CISA warn and help others

Working Together on Cybersecurity

CISA says working together is key for good cybersecurity:

What to Do	Why It Matters
Share info about threats	Helps everyone stay safer
Act fast when you see something odd	Stops problems from getting bigger
Report problems quickly	Makes everyone's defenses stronger
Learn from shared info	Helps people and businesses understand risks better

Related posts

• Russian Telecom Regulations: 2024 Guide
• AI Disclosure Laws 2024: Business Requirements
• Russian Cybersecurity Standards & Incident Response Guide
• Data Recovery & Compliance Guide: 7 Key Strategies