Cyber Incident Reporting Act Becomes Law
The 2022 funding bill included the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires entities in a critical infrastructure sector to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and to report to CISA any ransom payment resulting from a ransomware attack not later than 24 hours after the payment. CISA is required to conduct a rulemaking within 24 months, in consultation with the Department of Justice and other Federal agencies, to implement the new requirements, including defining key terms in the Act. CISA must publish the final rules within 18 months after the commencing the rulemaking.