U.S. Passes New Cybersecurity Law for Critical Infrastructure Reporting

With the United States government increasingly cautioning about the threat of cyberattacks targeting critical infrastructure and posing wider risks to society, Congress has passed new rules on reporting. Let’s take a look at the Cyber Incident Reporting for Critical Infrastructure Act, what it means for organizations responsible for the provision of critical infrastructure services, and the legislation’s potentially broader ramifications in shaping the future cybersecurity landscape.

Background of The Cyber Incident Reporting for Critical Infrastructure Act

The Russia-Ukraine conflict added new impetus at the federal level to demand more collective action in reducing critical infrastructure cybersecurity risks. Well aware of Russia’s cyber warfare capabilities, U.S. government sources immediately began warning about possible retaliation to sanctions in the form of disruptive cyberattacks targeting critical infrastructure.

Cyberattacks haven’t materialized to any degree outside of Ukraine yet, but you don’t have to look far back in history to find pertinent examples of why the U.S. government continues to express concern about threats to critical infrastructure’s cyber defenses. Two incidents from the last couple of years that arguably instigated the formative plans for the new incident reporting legislation were:

  • The Colonial Pipeline shutdown caused by a ransomware attack, which led to panic buying and gas shortages both at fuel stations and in airports.
  • A breach of SolarWinds Orion network management system let Russian intelligence pry into the networks of several U.S. government agencies.

Aside from those two extremely high-profile incidents, reports indicated that 14 out of 16 reporting critical infrastructure sectors had at least one organization suffering from a ransomware incident during 2021. It’s clear that to protect national security and continue providing citizens with vital services, some sort of cohesive and collective rule changes were needed. And this is where the Cyber Incident Reporting for Critical Infrastructure Act comes into play.

The Cybersecurity Incident Reporting Law in Brief

As with many documents pertaining to legislative changes, there is a lot of legal speak to navigate through to get the gist of things. Here is a useful brief breakdown of what the legislation says.

The new law, enacted as a direct response to growing concerns about cyberattacks on critical infrastructure, required “covered entities” in the private sector to submit reports to the Cybersecurity and Infrastructure Security Agency (CISA). But fret not; you don’t need to begin reporting until the final legislation and rules are drafted, and you’ll be informed about that date.

What should be reported

The two main types of incidents that should be reported to the CISA under the scope of the Cyber Incident Reporting for Critical Infrastructure Act are:

  1. A covered cyber incident, which is defined as a substantial cyberattack experienced by a covered entity that carries a high likelihood of damage to national security interests, public confidence, civil liberties, or public health and safety of the people of the United States.
  2. Any ransom payment made to a threat actor regardless of whether it falls into the covered cyber incident definition.

The first point here is pretty self-explanatory. The law clearly calls for more detail and consistency in reporting the types of cybersecurity incidents hitting critical infrastructure with huge potential for knock-on effects, whether that means gas shortages, operational downtime in emergency departments or power grid shutdowns.

The second type of report that covered entities are required to make is an interesting reflection on how seriously the highest levels of government see the threat of ransomware. Most government sources actively warn organizations not to pay up in ransomware attacks. And a lack of reporting obligations means many businesses sweep such payments under the carpet and never report them. Greater transparency in this regard is likely to enable CISA to gather better intelligence on for-profit adversary behavior.

Whom it applies to

The regulation applies to covered entities, as designated by CISA, operating in any of 16 critical infrastructure sectors. These sectors include energy, healthcare and critical manufacturing. The precise definition of covered entities is forthcoming, but is likely to mirror the covered cyber incident definition by applying to organizations in critical infrastructure whose operations could impact national security, economic security, or public health and safety if compromised by a cyberattack; or whether the organization being attacked could disrupt other critical infrastructure operations.

Important timeframes

Covered cyber incidents need to be reported within 72 hours, while ransom payments need to be reported within 24 hours of payment. If substantial new or different information becomes available, or a covered entity makes a ransom payment after providing a report on a covered incident, the relevant organization then needs to send in a supplemental report (although the wording on this is less precise in terms of timeframes; the document says “promptly”).

Noncompliance consequences

Failure to submit a report under the above scope of requirements can result in either a direct engagement from CISA to request information or a subpoena to compel disclosure of relevant information. Failure to comply with a subpoena poses the likelihood of civil action against your business, with a potential punishment as contempt of court. In practice, therefore, if you’re a covered entity under the new regulation, compliance is set to be taken very seriously.


The clear benefit here is a more transparent, collective approach to cybersecurity. Voluntary information-sharing programs haven’t provided much improvement in gathering intelligence about key cyber threats to U.S. critical infrastructure, perhaps because organizations feared reporting ransom payments that were actively discouraged by government sources.

The new act protects liability when it comes to sharing information by covered entities, which means that if you comply with the reporting requirements before it gets to a subpoena, you maintain protection. Echoing this were comments from Senate Intelligence Committee Chair Mark Warner, who said the point of the regulation’s mandatory reporting is to go after malware actors and not hold individual companies accountable.

Closing Thoughts: A National Reporting Mandate?

The final drafting of the Cyber Incident Reporting for Critical Infrastructure Act in 24 months signifies the start of some strong measures taken by the U.S. government demonstrating its perception of how important cybersecurity now is. While this law starts out with critical infrastructure, there’s a strong chance this approach could expand to a national cyber incident reporting mandate, with the objective of strengthening cybersecurity countrywide in all sectors of the economy. Watch this space.

Nuspire’s cybersecurity consulting services can ready your organization for its impending reporting obligations under the Cyber Incident Reporting for Critical Infrastructure Act.

Contact us today to speak with an expert.

Have you registered for our next event?