President Biden Signs Bill Expanding Cybersecurity Reporting Obligations.

President Biden signed the Consolidated Appropriations Act, 2022 into law on March 15, 2022. Section Y of the new omnibus appropriations bill is titled The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“the Act”). Importantly, the Act significantly expands federal cybersecurity incident and ransom demand reporting requirements for critical infrastructure entities. In light of these new requirements, critical infrastructure entities who suspect that they may be subject to the Act should begin investigating how the Act will impact their business and consider establishing protocols which may be necessary to ensure compliance.

Notably, the Act does not directly define many necessary terms and obligations. Instead, the Department of Homeland Security’s Director of the Cybersecurity and Infrastructure Security Agency (“CISA”) has been tasked with promulgating a final rule finalizing these definitions and obligations. Within 24 months of the Act’s enactment, CISA is required to begin the notice-and-comment rulemaking process. The final rule must then be published within the 18 months following the start of the rulemaking process. Interested stakeholders will want to review the proposed rule promptly when it is released and consider submitting comments as appropriate.

Incident Reporting Obligations

With respect to incident reporting, the Act requires covered entities to comply with new and expanded obligations when they experience a “covered cyber incident.” The term “covered entity” means a critical infrastructure entity—as defined by Presidential Policy Directive 21 (“the Directive”)—that satisfies the criteria established in CISA’s final rule. Although CISA’s criteria will remain unknown until the final rule is promulgated, the Directive clarifies the types of entities that may be subject to the expanded requirements.

Under the Directive, critical infrastructure entities are those operating in the following sectors:

Similar to the definition of “covered entity,” the full definition of “covered cyber incident” will not be available until CISA publishes the final rule. However, the Act establishes that the definition of “covered cyber incident” will contain certain key elements. Pursuant to the Act, the final rule’s definition of “covered cyber incident” must require, at minimum, the occurrence of:

CISA’s final rule will also outline many substantive requirements such as incident reporting obligations and ransom reporting obligations. In each instance, the final rule shall require a covered entity to report the following within 72 hours of the covered entity’s reasonable belief that a covered cyber incident has occurred:

In the event that a covered entity makes a ransom payment, the final rule will also require the covered entity to make the following disclosures to CISA within 24 hours of such payment:

Additionally, the Act also requires a covered entity to submit updated reports to supplement previously provided information when substantial new information is discovered. Once a report is submitted, all data relevant to the “covered cyber incident” or ransom payment must then be preserved by the covered entity pursuant to procedures yet to be established through the rulemaking process.

Exceptions to Reporting Obligations

The exceptions to these reporting obligations are fairly narrow. For instance, while a covered entity would otherwise be required to make two reports to cover both a covered cyber incident and a ransom payment, the Act allows such an entity to combine all required information into a single report. Similarly, in the event that a covered entity is subject to certain reporting requirements to other Federal agencies, the report to the other agency may satisfy the entity’s reporting obligations to CISA provided that a sharing agreement between the agencies exists.

Using a Third Party to Submit a Required Report or Make a Ransom Payment

A covered entity may either submit a required report itself or use a third party to do so. Such a third party can include an entity such as an “incident report company, insurance provider, service provider, Information Sharing and Analysis organization, or law firm.” In the event that a covered entity utilizes a third party, it must be aware that the use of such a third party does not relieve the covered entity from its reporting requirement. Rather, a covered entity utilizing a third party is subject to the same reporting obligations and timelines as it would be had it submitted the report or made the ransom payment itself.

Notably, third parties are largely exempt from independent obligations under the Act. Importantly, where a third party submits a report or makes a ransom payment on behalf of a covered entity, that third party is not obligated to submit a separate report on its own behalf. However, such a third party does have an obligation to advise the covered entity of their responsibilities regarding the covered entity’s reporting obligations. Thus, businesses who act as third parties and provide reporting services to covered entities should remain apprised of all reporting requirements and prepare to advise their clients.

Incident Report Sharing and Data Use

Though the Act establishes substantial reporting obligations, it also limits CISA’s ability to use and share the information provided by covered entities in the reports. Importantly, such information may only be used by the Federal Government for:

In addition to the limitations on use, similar to other cyber threat information-sharing opportunities provided by the Federal Government, information contained in required reports is afforded further protections. Importantly, information obtained by CISA via a required report may not act as the basis for any cause of action. Similarly, such information is also protected from admission into evidence in any future proceeding. Thus, any information contained in a required report may not be received into evidence, subjected “to discovery, or otherwise used in any trial, hearing, or other proceeding in or before any court, regulatory body, or other proceeding.”

In providing these protections, the Act intends to enable covered entities to fully disclose all relevant information regarding a covered cyber incident without incurring the risk of potentially exposing itself to liability due to the content of the report. Additional protections establish that information disclosed to CISA pursuant to the Act:


In the event that a covered entity fails to comply with the new cyber incident reporting obligations, CISA’s director may request information if it suspects the entity of noncompliance. If the covered entity fails to respond within 72 hours, CISA may then issue an administrative subpoena. Should the covered entity subsequently fail to comply with the subpoena, CISA may turn the matter over to the U.S. Attorney General for civil enforcement and covered entity may potentially held in contempt of court.

However, prior to exercising their enforcement authority, the CISA director must first consider i) the complexity of determining whether a covered cyber event has occurred as well as ii) the covered entity’s previous interactions with the agency and the likelihood that the entity is aware of its reporting obligations.

Other Notable Provisions

In addition to expanding reporting obligations, the Act also creates several entities and programs intended to improve the state of cybersecurity in the U.S. These additional provisions call for the creation of:

Key Takeaways

Though there is much that will remain unclear until CISA promulgates the final rule, businesses should, at the very least, be aware of the following:

To whom does the Act apply? The Act applies to covered entities as defined by CISA.

What does the act mandate? Reports must be made to CISA when the covered entity makes a ransom payment or experiences a covered cyber incident.

When must the report be made? Reports must be made to CISA within 72 hours of a business’s reasonable belief that a covered cyber incident has occurred and 24 hours of any ransom payment.

How is the information contained in the reports protected? CISA may only use the information in the reports for very limited purposes outlined above. Such information is further protected from disclosure via discovery, FOIA requests, or other open records requirement, etc.

How is the Act enforced? The CISA may request information in the event that it believes a covered entity may be noncompliant. If the entity fails to respond to the request within 72 hours, the CISA may issue a subpoena. If the entity fails to respond to the subpoena, the CISA may turn the matter over to the U.S. Attorney General who may enforce the subpoena.

Crowell & Moring LLP – Sarah Rippy, Matthew B. Welling, Evan D. Wolff, Maida Oringher Lerner, Alexander Urbelis and Michael G. Gruden

March 24 2022

Copyright © 2022 Bond Case Briefs |