March 22, 2022
Click for PDF
On March 15, 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which was included in an omnibus appropriations bill.[1] Against the backdrop of high-profile cyberattacks on critical infrastructure providers and growing concerns of retaliatory cyberattacks relating to Russia’s invasion of Ukraine, the House approved the bipartisan legislation on March 9 and the Senate unanimously approved the legislation on March 11 after failing to pass similar legislation in recent years.
The Act creates two new reporting obligations on owners and operators of critical infrastructure:
- An obligation to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS) within 72 hours, and
- An obligation to report ransomware payments within 24 hours.
The new reporting obligations will not take effect until the Director of CISA promulgates implementing regulations, including “clear description[s] of the types of entities that constitute covered entities.”[2] The Act does provide…
