CISA Cyber Incident Reporting Requirements 2024
Learn about CISA's new cyber incident reporting requirements for critical infrastructure organizations in sectors like healthcare, energy, and finance. Find out who needs to report, what incidents to report, and how to comply.
Save 90% on your legal bills

Here's what you need to know about CISA's new cyber incident reporting rules:
- Who: Critical infrastructure organizations in sectors like healthcare, energy, finance
- What: Report major cyber incidents and ransomware payments
- When:
- Cyber incidents: Within 72 hours
- Ransom payments: Within 24 hours
- How: Via web form, CISA portal, secure email, or phone hotline
Key points:
- Applies to incidents that significantly impact operations or data
- Penalties for non-compliance include fines and legal action
- CISA uses reports to analyze threats and improve cybersecurity
Report Type | Deadline | What to Include |
---|---|---|
Cyber Incident | 72 hours | Affected systems, impact, attack details |
Ransom Payment | 24 hours | Payment info, attacker details |
Companies should update incident response plans, train staff, and set up processes to detect and report quickly.
Related video from YouTube
CISA's Cyber Incident Reporting Rules
CISA's new rules for reporting cyber incidents are part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). These rules aim to improve national cybersecurity by requiring quick reporting of major cyber incidents.
Who Needs to Report
The rules apply to key infrastructure sectors:
- Healthcare
- Energy
- Manufacturing
- Finance
- Water and power
- Transportation
CISA will choose which companies must report based on how their failure could affect national security, the economy, or public health.
What Incidents to Report
Companies must report:
- Big cyber incidents
- Ransomware payments
A "big" incident means someone got in without permission and caused major problems or downtime. Small issues, like failed phishing attempts, don't need to be reported.
Report These | Don't Report These |
---|---|
Large data breaches | Small phishing attempts |
Ransomware attacks | Failed break-in tries |
DDoS attacks that cause big problems | Short service outages |
Getting into important systems without permission | Normal virus detections |
When to Report
The new rules set clear deadlines:
- Big cyber incidents: Within 72 hours of thinking an incident happened
- Ransom payments: Within 24 hours of paying
Companies must also quickly send updates if they learn new important information about the incident.
These deadlines help CISA get information fast to check threats and plan responses. Following these reporting times is key for keeping the country's cybersecurity strong.
Organizations Required to Report
Qualifications for Reporting
CISA will choose "covered entities" that must follow CIRCIA's rules for reporting cyber incidents and ransomware payments. These may include organizations in key sectors like:
- Chemical
- Manufacturing
- Health care
- Defense contracting
- Energy
- Financial
- Nuclear
- Transportation
CISA will pick these entities based on:
- How they might affect national security, the economy, or public health if attacked
- How likely they are to be targeted by hackers
- How they could disrupt other key systems if compromised
CISA plans to choose these entities early on, before asking for public input.
Different Rules by Industry
While CIRCIA sets general rules, each industry might have its own specific requirements. CISA will likely consider the unique risks in each sector.
Industry | Possible Specific Rules |
---|---|
Energy | Report issues with control systems |
Financial | Focus on data breaches |
Healthcare | Protect patient data and medical devices |
Transportation | Report supply chain problems |
These industry-specific rules will help address the most important cyber risks in each area.
Who Doesn't Have to Report
Not all organizations need to report cyber incidents. Those who might not have to include:
- Organizations outside key sectors
- Smaller companies in key sectors that don't meet CISA's criteria
- Federal agencies already reporting under FISMA
- Groups that have sent a similar report to another federal agency
Even if not required, CISA still encourages all organizations to report cyber incidents voluntarily. This helps improve overall cybersecurity awareness and response.
What Counts as a Reportable Incident
Definition of 'Covered Cyber Incident'
A covered cyber incident is a big security problem that affects an organization's computer systems or networks. It includes:
- Major loss of data privacy or system control
- Big impact on safety or normal operations
- Stopping business activities or service delivery
- Someone getting in without permission through:
- Cloud services
- Managed service providers
- Other data hosting companies
- Supply chain issues
This only applies to illegal acts, not planned security tests.
When to Report an Incident
Type of Incident | Reporting Deadline |
---|---|
Covered cyber incidents | Within 72 hours of believing it happened |
Ransom payments | Within 24 hours of paying |
Companies should report quickly after checking the problem. This usually takes hours, not days.
Examples of Reportable Incidents
Here's what to report and what not to report:
Report These | Don't Report These |
---|---|
Long service outages from attacks | Short website downtime |
Core systems locked by hackers | Virus caught by antivirus software |
Big increase in possible hazardous material release | Small business system problems |
Power grid system hacks | One user's password stolen (if backups exist) |
911 call system problems | Short non-critical system outages |
Long downtimes from security holes | |
Ransomware on control systems | |
Hacks through fake software updates | |
Breaches using stolen service provider logins | |
Stealing sensitive data on purpose |
This list helps companies know what CISA considers important to report.
How to Report Incidents
Ways to Submit Reports
CISA offers several ways to report cyber incidents:
Method | Description |
---|---|
Web form | Main way to report - "CIRCIA Incident Reporting Form" |
CISA portal | For organizations with existing access |
Secure email | For those who can't use the web form |
Phone hotline | For urgent situations needing quick help |
Choose the best method based on your situation and how urgent the incident is.
Information to Include
When reporting, provide these key details:
Information | What to Include |
---|---|
Report type | Cyber incident, ransom payment, or both |
Company info | Legal name, other names, address, website |
Contact details | Phone numbers and emails for follow-up |
What happened | Affected systems, networks, devices, locations |
Tech details | How attackers got in, security measures, attack methods |
Effects | How it impacted operations, data, and business |
When it happened | Best guess of when the incident occurred |
Signs of attack | Any clues about the malicious activity |
Attacker info | Details about who might have done it, if known |
Giving complete information helps CISA understand and respond to the situation better.
Extra Documents Needed
CISA might ask for more items:
- Malware samples: Copies of any harmful software found
- Log files: Records from affected systems and networks
- System copies: Images of affected computers for analysis
- Incident reports: Any assessments done by your team or outside experts
- Fix-it plans: Steps taken to solve the problem and prevent future issues
Be ready to send these extra materials quickly if CISA asks for them. This helps them analyze and respond to the incident more effectively.
Reporting Deadlines
Time Limit for First Report
CISA has set clear deadlines for reporting cyber incidents and ransom payments:
Report Type | Deadline |
---|---|
Cyber Incident | 72 hours |
Ransom Payment | 24 hours |
For cyber incidents, the 72-hour countdown starts when a company thinks an incident has happened. For ransom payments, the 24-hour timer begins after paying.
Follow-up Report Rules
Companies must send more reports when they learn new things:
- Tell CISA about any big changes or new information quickly
- Keep CISA updated on how the incident is going
- Share more details as they find out during their checks
This helps CISA stay up-to-date and respond better to cyber threats.
Penalties for Late Reports
While CISA hasn't spelled out exact penalties for late reports, not following the rules can cause problems:
Possible Consequences | Description |
---|---|
Fines | CISA might charge money for late reports |
Legal Action | CISA can use the law to make companies share information |
Government Involvement | If a company keeps breaking rules, CISA might tell the Attorney General |
To avoid these issues, companies should:
- Set up ways to report quickly
- Make sure everyone knows the rules
- Practice reporting to be ready
sbb-itb-ea3f94f
Exceptions to Reporting Rules
When Reports Can Be Delayed
CISA allows delays in reporting under these conditions:
- Need for quick analysis to confirm a cyber incident
- Ongoing incident where reporting might slow down response
- More time needed to gather correct information
Companies should do this analysis fast, usually in hours, to meet the 72-hour deadline.
Other Ways to Report
CISA offers different reporting methods:
Method | Details |
---|---|
Web Form | Main way to report (CIRCIA Incident Reporting Form) |
Other Approved Ways | Extra methods allowed by CISA's director |
Combined Report | One report for both cyber incident and ransom payment |
The combined report option makes it easier when both apply.
Reporting to Other Agencies
CISA can accept reports sent to other federal agencies:
1. Similar Reports: If a company already sent a like report to another agency, CISA might accept it instead of a new one.
2. Agency Agreements: CISA will work with other agencies to accept their reports if:
- The agency asks for like info in a similar time
- The agency agrees to give CISA the report on time
3. FISMA Reports: Federal agencies that report under FISMA might not need to report again under CIRCIA.
These rules help cut down on extra work while making sure CISA gets important info quickly.
After Reporting an Incident
How CISA Handles Reports
CISA follows these steps when processing incident reports:
1. Check Reports: CISA looks at reports sent through their web form or other approved ways.
2. Combine Data: They put together info from different reports to get a full picture of cyber threats.
3. Study the Data: CISA experts look for patterns, check how well security measures work, and learn about risks to key systems.
4. Share Findings: CISA tells other government agencies and security groups what they've learned to help improve cybersecurity.
Using Reported Information
CISA uses the reported info in these ways:
Use | What It Means |
---|---|
Find Patterns | Spot new cyber threats |
Make Threat Info | Create useful info about threats for others |
Help with Attacks | Make better plans to deal with cyber attacks |
Improve Safety | Create better ways to protect against attacks |
Change Rules | Help make new cybersecurity rules |
This helps make the country's cyber defenses stronger.
Next Steps and Investigations
After looking at reports, CISA does these things:
1. Ask for More Info: If they need to know more, CISA might ask companies for extra details.
2. Keep Records: Companies must save data about the incident for at least two years.
3. Work with Others: CISA teams up with groups like the FBI to look into big problems.
4. Tell People What's Happening: Every three months, CISA shares what they've learned about cyber threats.
5. Get Better: CISA uses what they learn to make their own work better and update advice for keeping important systems safe.
Protecting and Using Reported Data
Keeping Reports Safe
CISA works hard to keep cyber incident reports secure. They use:
- Safe ways to send reports
- Locked storage for data
- Limits on who can see reports
- Regular checks on safety systems
These steps help CISA keep information private and build trust with those who report.
Rules for Sharing Information
CISA follows strict rules when sharing report data:
Rule | Description |
---|---|
Remove names | Take out details that could identify who reported |
Share only when needed | Give info just to important groups |
Control who gets info | Carefully manage who sees threat details |
Follow laws | Make sure sharing follows privacy rules |
These rules help CISA share useful info without putting reporters at risk.
How CISA Uses Report Data
CISA uses the data from reports to make cybersecurity better:
Use | What It Means |
---|---|
Find patterns | Spot new cyber threats |
Check weak spots | See how well safety measures work |
Help quickly | Send help to those under attack |
Share warnings | Tell others how to stay safe |
Make better rules | Create new ways to protect systems |
Consequences of Not Reporting
How Rules Are Enforced
CISA can take these steps if a company doesn't report:
1. Ask for Info: CISA may request details about a possible unreported incident.
2. Legal Order: If a company doesn't answer, CISA can make them share info by law.
3. Tell Others: CISA might ask the Department of Homeland Security or Attorney General to step in.
Possible Fines and Other Penalties
Not following CISA's rules can lead to:
Penalty | What It Means |
---|---|
Money Fines | CISA can charge fees |
Legal Action | The Attorney General might sue |
Criminal Charges | Serious cases could go to court |
Lost Contracts | Companies might not get government work |
Companies might also lose trust from customers and partners.
How to Challenge Penalties
If a company gets in trouble, they can:
1. Ask CISA to Check Again: Request CISA to look at their decision one more time.
2. Go to Court: If talking to CISA doesn't work, the company can ask a judge to decide.
3. Show They've Improved: Tell CISA how they've fixed their reporting problems.
Companies should talk to a lawyer to help them challenge penalties the right way.
Getting Ready for New Rules
Steps to Follow Rules
To get ready for CISA's new cyber incident reporting rules, companies should:
- Check if the rules apply to them
- Update their incident response plan
- Set up ways to keep records for over two years
- Practice responding to fake cyber attacks
- Keep up with CISA's latest info
Setting Up Internal Processes
Companies need good internal processes to meet CISA's rules:
Process | Description |
---|---|
Quick detection | Set up tools to spot cyber problems fast |
Clear reporting steps | Make a plan for collecting and sending info to CISA on time |
Good communication | Set up ways for IT, security, legal, and bosses to talk quickly |
Data storage | Keep important info for as long as CISA says |
Regular checks | Look at how well your processes work and fix any problems |
Training Staff on Reporting
Teaching staff about the new rules is key:
- Tell everyone in the company why reporting cyber incidents matters
- Give special training to IT, security, and legal teams on what CISA needs
- Practice responding to fake cyber attacks often
- Write down clear steps for reporting and share them with staff
- Keep learning about CISA's rules and update your training
Conclusion
Main Points to Remember
- Tell CISA about cyber problems quickly using their forms or email (report@cisa.gov)
- In your report, include:
- When and where it happened
- What kind of problem it was
- What systems were affected
- How bad the problem is
- Who to contact for more info
- CISA uses these reports to:
- Find patterns in attacks
- Help stop future problems
- Keep important systems safe
- Quick reports help CISA warn and help others
Working Together on Cybersecurity
CISA says working together is key for good cybersecurity:
What to Do | Why It Matters |
---|---|
Share info about threats | Helps everyone stay safer |
Act fast when you see something odd | Stops problems from getting bigger |
Report problems quickly | Makes everyone's defenses stronger |
Learn from shared info | Helps people and businesses understand risks better |