Consolidated Appropriations Act 2022

In March of 2022, President Biden signed into law the Consolidated Appropriations Act 2022. The Consolidated Appropriations Act 2022 wears many hats. The law reauthorizes the Anti-Violence Against Women Act, increases defense spending, provides aid to Ukraine, and funds the White House internship program, allowing interns to be paid for the first time.

One of the less big-ticket – but by no means unimportant – in this $1.5 trillion bill is a new law, the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This Cyber Incident Reporting Act (CIRA) requires regulated entities to report covered cyber incidents to the Cybersecurity and Infrastructure Security Agency, or CISA. CISA is an agency within the Department of Homeland Security. Details of the Consolidated Appropriations Act 2022 are provided below.  

Consolidated Appropriations Act 2022 – What Entities are Covered by the CIRA?

The Consolidated Appropriations Act of 2022 created the Cyber Incident Reporting Act, or CIRA, to cover virtually all major sectors of the economy. CIRA regulates 16 specific infrastructure sectors. Each sector requires public-private cooperation to function effectively. Three of the sectors involve healthcare. 

These include the:

  • Emergency services sector
  • Healthcare and public health sector
  • IT sector

Consolidated Appropriations Act 2022 – What Must Regulated Entities Do?

Each of the 16 sectors, including the sectors involving healthcare, must take certain actions if they experience a “covered cyber incident.” 

  1. Under the Act, an entity that experiences a “covered cyber incident” must report the incident to CISA no later than 72 hours after the entity “reasonably believes” that such an incident has taken place. CIRA defines a “covered cyber incident” as an “occurrence” that actually “jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or that information system that is “substantial.’” CIRA directs the CISA Director to provide a definition of, and criteria for, what “substantial” is. The CISA Director is expected to do this in the upcoming rulemaking process.
  2. Entities regulated under CIRA must report any ransomware payments made due to a ransomware act that is a “covered cyber incident” to CISA. The report must be made within 24 hours after making the payment. Entities that make ransomware payments must also preserve data relevant to the attack. The CISA Director is expected to announce, through the rulemaking process, what content the report must contain.
  3. Entities that experience a “covered cyber incident” must continue to submit updates to CISA as “substantial, new, or different information” becomes available. The continuing reporting obligation runs until a regulated entity notifies CISA that an incident has been fully mitigated and resolved. 

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Consolidated Appropriations Act 2022: What Can CISA Use Reports For?

The Consolidated Appropriations Act 2022 protects the information submitted in required reports from unnecessary disclosure. The Consolidated Appropriations Act 2022 requires that information in received reports be used only for authorized purposes. 

Information may be disclosed to, kept, and used by federal agencies only for the following purposes:

  • Cybersecurity-related purposes, including identification of cyber threats and security vulnerabilities.</