In March of 2022, President Biden signed into law the Consolidated Appropriations Act 2022. The Consolidated Appropriations Act 2022 wears many hats. The law reauthorizes the Anti-Violence Against Women Act, increases defense spending, provides aid to Ukraine, and funds the White House internship program, allowing interns to be paid for the first time.
One of the less big-ticket – but by no means unimportant – in this $1.5 trillion bill is a new law, the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This Cyber Incident Reporting Act (CIRA) requires regulated entities to report covered cyber incidents to the Cybersecurity and Infrastructure Security Agency, or CISA. CISA is an agency within the Department of Homeland Security. Details of the Consolidated Appropriations Act 2022 are provided below.
Consolidated Appropriations Act 2022 – What Entities are Covered by the CIRA?
The Consolidated Appropriations Act of 2022 created the Cyber Incident Reporting Act, or CIRA, to cover virtually all major sectors of the economy. CIRA regulates 16 specific infrastructure sectors. Each sector requires public-private cooperation to function effectively. Three of the sectors involve healthcare.
These include the:
- Emergency services sector
- Healthcare and public health sector
- IT sector
Consolidated Appropriations Act 2022 – What Must Regulated Entities Do?
Each of the 16 sectors, including the sectors involving healthcare, must take certain actions if they experience a “covered cyber incident.”
- Under the Act, an entity that experiences a “covered cyber incident” must report the incident to CISA no later than 72 hours after the entity “reasonably believes” that such an incident has taken place. CIRA defines a “covered cyber incident” as an “occurrence” that actually “jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or that information system that is “substantial.’” CIRA directs the CISA Director to provide a definition of, and criteria for, what “substantial” is. The CISA Director is expected to do this in the upcoming rulemaking process.
- Entities regulated under CIRA must report any ransomware payments made due to a ransomware act that is a “covered cyber incident” to CISA. The report must be made within 24 hours after making the payment. Entities that make ransomware payments must also preserve data relevant to the attack. The CISA Director is expected to announce, through the rulemaking process, what content the report must contain.
- Entities that experience a “covered cyber incident” must continue to submit updates to CISA as “substantial, new, or different information” becomes available. The continuing reporting obligation runs until a regulated entity notifies CISA that an incident has been fully mitigated and resolved.
Consolidated Appropriations Act 2022: What Can CISA Use Reports For?
The Consolidated Appropriations Act 2022 protects the information submitted in required reports from unnecessary disclosure. The Consolidated Appropriations Act 2022 requires that information in received reports be used only for authorized purposes.
Information may be disclosed to, kept, and used by federal agencies only for the following purposes:
- Cybersecurity-related purposes, including identification of cyber threats and security vulnerabilities.
- To respond to prevent, or mitigate specific threats of death, serious bodily harm, or serious economic harm.
- To respond to or prevent a serious threat to a minor.
- To respond to an offense arising out of a reported incident.
In addition, CIRA forbids the filing of a lawsuit based on someone’s having submitted a report unless the government files that lawsuit to enforce a subpoena against a regulated entity. It is only the act of submitting the report that is protected. A lawsuit may still be filed based upon the cyber incident itself.
Consolidated Appropriations Act 2022: It’s The Rules
The Consolidated Appropriations Act 2022 requires the CISA director to issue rules about what constitutes a “covered cyber incident,” what a report contains, and other reporting requirement rules about data preservation, the manner and timing of reports, and precisely what entities are subject to CIRA. In consultation with Sector Risk Management Agencies, the Department of Justice, and other federal agencies, the director must issue a notice of proposed rulemaking by March of 2024. The director must issue the final rule within 18 months of issuing the proposed rule. The new reporting obligations will not take effect until the CISA Director issues the new rules.
Consolidated Appropriations Act 2022: Relationship to HIPAA
HIPAA, which applies to covered entities and business associates, does not require these entities to report “covered cybersecurity incidents” to any federal agency. HIPAA only requires that breaches of unsecured PHI be reported to HHS. So, CIRA enlarges a HIPAA-beholden entity’s reporting obligations. HIPAA-beholden entities must continue to report breaches per HIPAA and will soon be required to report “covered cybersecurity incidents” and ransomware attacks to CISA.
