Amidst severe warnings by the United States government of heightened cyber risks (especially for critical infrastructure), and on the heels of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) being signed into law in March 2022, the Cybersecurity and Infrastructure Security Administration (CISA) published a Cyber Event Information Sharing Fact Sheet, which provides stakeholders with guidance about what to share, who should share, and how to share information about unusual cyber incidents or activity.
Who Should Share Information with CISA?
- Critical Infrastructure Owners and Operators
- Federal, State, Local, Territorial, and Tribal Government Partners
What Types of Activity Should Be Shared?
- Unauthorized access to your system
- Denial of Service (DOS) attacks that last more than 12 hours
- Malicious code on your systems, including variants if known
- Targeted and repeated scans against services on your systems
- Repeated attempts to gain unauthorized access to your system
- Email or mobile messages associated with phishing attempts or successes
- Ransomware against Critical Infrastructure, include variant and ransom details if known
How Should You Share This Information?
Entities were urged to complete an incident reporting form or, in the alternative, send a detailed e-mail to firstname.lastname@example.org.
In the report, CISA asks that entities share ten key elements – with the first nine listed as a priority.
- Incident date and time
- Incident location
- Type of observed activity
- Detailed narrative of the event
- Number of people or systems affected
- Company/Organization name
- Point of Contact details
- Severity of event
- Critical Infrastructure Sector if known
- Anyone else you informed
While these instructions are not legally binding, these data elements might be a signal for what critical infrastructure owners and operators can expect in an upcoming notice of proposed rulemaking. Critical infrastructure operators should consider how best to incorporate these elements into their incident reporting process.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.