How CIRCIA is changing crisis communication


Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis.

When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath.

In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). But because the wheels of government move slowly, it is just now in 2024 that the Cybersecurity and Infrastructure Security Agency (CISA), the agency tasked with overseeing CIRCIA, is completing the mandatory rule requirements so the law can go into effect. On April 4, CISA published a Notice of Proposed Rulemaking (NPRM), which was open for public comment until July 3, with the final rules and regulations coming no later than October 2025.

The goal of CIRCIA is to change the way entities across the critical infrastructure communicate during a cyber crisis and improve overall cyber readiness.

The 72-hour rule

CISA has designated 16 industries as critical infrastructure, which can be found here in detail. However, under CIRCIA, only 13 of the sectors will be required to follow the reporting guidelines (as of this writing, Commercial Facilities, Dams and Food and Agriculture sectors are exempted, but of course, this could change).

Under the new crisis communication guidelines, any business operating under the umbrella of one of the 13 critical infrastructure sectors, including small and mid-sized businesses, will be required to report the cyber incident to CISA within 72 hours of occurrence. Any federal agency receiving a report about a covered cyber incident will have 24 hours to share the report with CISA.

The guidelines also establish an intergovernmental Cyber Incident Reporting Council that will coordinate, deconflict and harmonize federal incident reporting requirements.

Explore incident response services

CIRCIA’s additional ransomware guidelines

Because ransomware is among the most prevalent types of attacks on critical infrastructure, CIRCIA added guidelines to help these organizations better defend themselves against ransomware attacks. They include:

  • Any organization making a ransomware payment after an attack must report it to CISA within 24 hours. CISA will share this report with other federal agencies.
  • Through the Ransomware Vulnerability Warning Pilot (RVWP) program, CISA authorizes authorities and technologies to identify systems with vulnerabilities that could lead to ransomware and alert them in a timely manner to fix the systems before an attack.

Criteria for a covered cyber incident

In addition to its reporting requirements, CIRCIA and CISA outline specific criteria on what is considered a covered cyber incident. If an incident meets these criteria, it must be reported:

  • An incident that results in substantial loss of confidentiality, integrity or availability within systems, or there is a serious impact on resiliency or safety of operations
  • An incident that disrupts business or industrial operations. This includes DoS attacks, ransomware and zero-day attacks
  • An incident that creates unauthorized access or disruption of business operations through loss of services from a third-party provider

How to prepare for CIRCIA

Even though full implementation of CIRCIA is a year away and could see changes during that time, organizations can begin to take steps to prepare for the time when they will need to report a covered incident.

It starts with learning if your organization falls under the covered sectors, and if so, familiarize yourself with the reporting guidelines.

This would be a good time to review the organization’s cybersecurity policy and implement recommendations from the NIST Cybersecurity Framework 2.0, NIST Software Supply Chain Security framework and other government cybersecurity guidance available.

The incident response team should be fully trained on the CIRCIA requirements, right along with the pre-existing incident response plan, and conduct practice runs. Incident response protocols may need to be updated to meet these requirements. If your organization doesn’t have an incident response team and plan, now is the time to pull one together.

CIRCIA rules won’t be mandatory until 2025 when the final rules go into effect, but it isn’t too early to start following the guidelines as a way to improve cybersecurity across your business and critical infrastructure.

Stay tuned next week for the next article in this series, Should CISOs be held legally responsible for cyber incidents?

The post How CIRCIA is changing crisis communication appeared first on Security Intelligence.