On September 12, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a Request for Information, seeking public comment on how to structure implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  Written comments are requested on or before November 14, 2022 and may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.

Overview of CIRCIA.  CIRCIA was signed into law on March 15, 2022 and establishes two cyber incident reporting requirements for covered critical infrastructure entities:

  1. A 24-hour requirement to report any ransomware payments to CISA; and
  2. A 72-hour requirement to report all covered cyber incidents to CISA

These requirements will take effect upon the issuance of implementing regulations from the Director of CISA.  The Act directs CISA to issue a Notice of Proposed Rulemaking (“NPRM”) within 24 months of the date of enactment to implement the Act’s requirements, and to issue a final rule within 18 months of issuing the NPRM.

Request for Information.  CISA is seeking public comment through its Request for Information on potential aspects of the proposed regulation prior to publication of the NPRM.  According to the Request for Information, CISA is particularly interested in public input regarding:

  • Definitions, criteria, and the scope of regulatory coverage, including the scope of covered entities and covered incidents;
  • Report contents and submission procedures, including when timing requirements for various reporting requirements will begin to run;
  • Other incident reporting requirements and security vulnerability information sharing; and
  • Additional policies, procedures, and requirements.

Looking Ahead.  As noted, written comments are requested on or before November 14, 2022. Submissions received after that date may not be considered.  Comments may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov. CISA will also be hosting public listening sessions throughout the comment period as an additional means for interested parties to provide input. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jim Garland Jim Garland

Jim Garland’s practice focuses on government investigations and enforcement matters, litigation, and cybersecurity. Recognized by Chambers USA as a leading practitioner in both the white collar and cybersecurity categories, Jim draws upon his experience as a former senior Justice Department official to advise…

Jim Garland’s practice focuses on government investigations and enforcement matters, litigation, and cybersecurity. Recognized by Chambers USA as a leading practitioner in both the white collar and cybersecurity categories, Jim draws upon his experience as a former senior Justice Department official to advise clients on sensitive, multidimensional disputes and investigations, often with national security implications. He previously served as co-chair of Covington’s “Band 1”-ranked White Collar and Investigations Practice Group and currently is a member of the firm’s Management and Executive Committees.

Jim regularly represents corporate and individual clients in government investigations and enforcement actions. He has successfully handled matters involving allegations of economic espionage, theft of trade secrets, terrorism-financing, sanctions and export control violations, money laundering, foreign bribery, public corruption, fraud, and obstruction of justice. He has particular expertise advising clients in connection with investigations and disputes involving electronic surveillance and law enforcement access to digital evidence.

Jim has substantial experience litigating high-stakes, multidimensional disputes for clients across a range of industries, including companies in the high-tech, financial services, defense, transportation, media and entertainment, and life sciences sectors. Many of his civil representations have substantial cross-border dimensions or involve parallel government enforcement proceedings in multiple forums.

In conjunction with his investigations and litigation practice, Jim regularly assists clients with cybersecurity preparedness and incident-response matters. He helps clients in assessing security controls and in developing policies and procedures for the protection of sensitive corporate data. He also regularly assists companies in responding to significant cybersecurity incidents, including in connection with criminal and state-sponsored attacks targeting customer and employee data, financial information, and trade secrets.

From 2009 to 2010, Jim served as Deputy Chief of Staff and Counselor to Attorney General Eric Holder at the U.S. Department of Justice. In that role, he advised the Attorney General on a range of enforcement issues, with an emphasis on criminal, cybersecurity, and surveillance matters.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Matthew Harden Matthew Harden

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He…

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He works with clients across industries, including in the technology, financial services, defense, entertainment and media, life sciences, and healthcare industries.

As part of his cybersecurity practice, Matthew provides strategic advice on cybersecurity and data privacy issues, including cybersecurity investigations, cybersecurity incident response, artificial intelligence, and Internet of Things (IoT). He also assists clients with drafting, designing, and assessing enterprise cybersecurity and information security policies, procedures, and plans.

As part of his litigation and investigations practice, Matthew leverages his cybersecurity experience to advise clients on high-stakes litigation matters and investigations. He also maintains an active pro bono practice focused on veterans’ rights.

Matthew currently serves as a Judge Advocate in the U.S. Coast Guard Reserve.