One of the less big-ticket – but by no means unimportant – in this $1.5 trillion bill is a new law, the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This Cyber Incident Reporting Act (CIRA) requires regulated entities to report covered cyber incidents to the Cybersecurity and Infrastructure Security Agency, or CISA. CISA is an agency within the Department of Homeland Security. Details of the Consolidated Appropriations Act 2022 are provided below.
Consolidated Appropriations Act 2022 – What Entities are Covered by the CIRA?
The Consolidated Appropriations Act of 2022 created the Cyber Incident Reporting Act, or CIRA, to cover virtually all major sectors of the economy. CIRA regulates 16 specific infrastructure sectors. Each sector requires public-private cooperation to function effectively. Three of the sectors involve healthcare.
These include the:
- Emergency services sector
- Healthcare and public health sector
- IT sector
Consolidated Appropriations Act 2022 – What Must Regulated Entities Do?
Each of the 16 sectors, including the sectors involving healthcare, must take certain actions if they experience a “covered cyber incident.”
- Under the Act, an entity that experiences a “covered cyber incident” must report the incident to CISA no later than 72 hours after the entity “reasonably believes” that such an incident has taken place. CIRA defines a “covered cyber incident” as an “occurrence” that actually “jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or that information system that is “substantial.’” CIRA directs the CISA Director to provide a definition of, and criteria for, what “substantial” is. The CISA Director is expected to do this in the upcoming rulemaking process.
- Entities regulated under CIRA must report any ransomware payments made due to a ransomware act that is a “covered cyber incident” to CISA. The report must be made within 24 hours after making the payment. Entities that make ransomware payments must also preserve data relevant to the attack. The CISA Director is expected to announce, through the rulemaking process, what content the report must contain.
- Entities that experience a “covered cyber incident” must continue to submit updates to CISA as “substantial, new, or different information” becomes available. The continuing reporting obligation runs until a regulated entity notifies CISA that an incident has been fully mitigated and resolved.