Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements; Correction

DEPARTMENT OF HOMELAND SECURITY <CFR>6 CFR Part 226</CFR> <DEPDOC>[Docket No. CISA-2022-0010]</DEPDOC> <RIN>RIN 1670-AA04</RIN> <SUBJECT>Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements; Correction</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Cybersecurity and Infrastructure Security Agency, DHS. <HD SOURCE="HED">ACTION:</HD> Proposed rule; correction. <SUM> <HD SOURCE="HED">SUMMARY:</HD> On April 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published, in the <E T="04">Federal Register</E> , the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements notice of proposed rulemaking (NPRM). The NPRM proposes regulations to implement CIRCIA's covered cyber incident and ransom payment reporting requirements for covered entities. In the section describing covered entities, the NPRM included information and references in the applicability criteria for transportation system entities that were based on a proposed rule that has not yet been published by the Transportation Security Administration (TSA). This document clarifies and corrects the proposed applicability criteria for pipeline facilities and systems in the sector-based criteria discussion for transportation systems sector entities. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Comments to the NPRM published at 89 FR 23644 on April 4, 2024, and related material must be submitted on or before July 3, 2024. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> You may send comments, identified by docket number CISA-2022-0010, through the Federal eRulemaking Portal available at <E T="03">https://www.regulations.gov.</E> <E T="03">Instructions:</E> All comments received must include the docket number for this rulemaking. All comments received will be posted to <E T="03">https://www.regulations.gov,</E> including any personal information provided. If you cannot submit your comment using <E T="03">https://www.regulations.gov,</E> contact the person in the <E T="02">FOR FURTHER INFORMATION CONTACT</E> section of this proposed rule for alternate instructions. For detailed instructions on sending comments and additional information on the types of comments that are of particular interest to CISA for this proposed rulemaking, see the <E T="02">SUPPLEMENTARY INFORMATION</E> section of the proposed rulemaking document at 89 FR 23644 (Apr. 4, 2024). <E T="03">Docket:</E> For access to the docket and to read background documents mentioned in this proposed rule and comments received, go to <E T="03">https://www.regulations.gov.</E> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Todd Klessman, CIRCIA Rulemaking Team Lead, Cybersecurity and Infrastructure Security Agency, <E T="03">circia@cisa.dhs.gov,</E> 202-964-6869. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">Background and Discussion</HD> On April 4, 2024, CISA published a NPRM, “Cyber Incident Reporting for Critical Infrastructure Act Reporting Requirements,” 89 FR 23644, that was required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). <SU>1</SU> <FTREF/> CIRCIA requires covered entities to report to CISA within certain prescribed timeframes any covered cyber incidents, ransom payments made in response to a ransomware attack, and any substantial new or different information discovered related to a previously submitted report. <SU>2</SU> <FTREF/> CIRCIA further requires the Director of CISA to implement these new reporting requirements through rulemaking. The NPRM solicits public comment on proposed regulations that would codify these reporting requirements. <FTNT> <SU>1</SU>  See 6 U.S.C. 681-681g; Public Law 117-103, as amended by Public Law 117-263 (Dec. 23, 2022). </FTNT> <FTNT> <SU>2</SU>  6 U.S.C. 681b(a)(1)-(3). </FTNT> In proposed 6 CFR 226.2, Applicability, CISA proposed a list of entities that would be required to report under the proposed regulation. <SU>3</SU> <FTREF/> Specifically, in § 226.2(b)(14), CISA proposed sector-based criteria for “Transportation system entities” that would be considered covered entities. <SU>4</SU> <FTREF/> As noted in the NPRM, CISA aligned the aforementioned sector-based criteria's description of a covered entity to include those entities identified by TSA as requiring cyber incident reporting and, in some cases, enhanced cybersecurity measures. <SU>5</SU> <FTREF/> To facilitate this alignment, CISA's NPRM proposed § 226.2(b)(14) that an “entity required by the Transportation Security Administration to report cyber incidents” or otherwise meets one or more criteria related to owners and operators of various non-maritime transportation system infrastructure, such as freight railroad, public transportation and passenger railroads (PTPR), pipeline facilities and systems, over-the-road bus (OTRB) operations, passenger and all-cargo aircraft, indirect air carriers, airports, and Certified Cargo Screening Facilities, would be considered a covered entity. <SU>6</SU> <FTREF/> Each of these proposed criteria included specific references to where these entities are identified in TSA's current regulations. <SU>7</SU> <FTREF/> However, for the sector-based criteria that would be applicable to pipeline facilities or systems, the proposed criterion references a section, 49 CFR 1586.101, that TSA intends to include in TSA's forthcoming Enhancing Surface Cyber Risk Management NPRM, which has not yet been published in the <E T="04">Federal Register</E> . <SU>8</SU> <FTREF/> Until that rule is finalized, the section related to pipeline facilities or systems does not exist in the CFR. Because the CIRCIA NPRM does not specifically describe which pipeline facilities or systems that CISA proposes as covered entities until TSA's rulemaking is finalized, CISA's intent through this notice is to clarify and correct this point. <FTNT> <SU>3</SU>  89 FR 23768 (Apr. 4, 2024). </FTNT> <FTNT> <SU>4</SU>  89 FR 23768. </FTNT> <FTNT> <SU>5</SU>   <E T="03">See</E> 89 FR 23699-23701. </FTNT> <FTNT> <SU>6</SU>  89 FR 23768. </FTNT> <FTNT> <SU>7</SU>   <E T="03">See</E> 89 FR 23768. </FTNT> <FTNT> <SU>8</SU>   <E T="03">See</E> 89 FR 23768 and TSA, Fall 2023 Unified Agenda, RIN 1652-AA74: Enhancing Surface Cyber Risk Management, <E T="03">https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310RIN=1652-AA74</E> (accessed May 14, 2024). </FTNT> As stated in the CIRCIA NPRM, CISA's intent is to align CIRCIA requirements applicable to aviation and surface transportation entities with TSA's requirements to support reduction of duplication and to avoid unintended gaps in cyber incident reporting. As such, CISA proposed applicability criteria describing covered entities in 6 CFR 226.2(b)(14) that include entities that are currently required, or will be required, to report cyber incidents to TSA. <SU>9</SU> <FTREF/> It is for this reason that CISA specifically proposed describing a covered entity as an “entity [that] is required by the Transportation Security Administration to report cyber incidents” in proposed 6 CFR 226.2(b)(14), so that any entities, such as pipeline facilities or systems, that are required to currently report cyber incidents to TSA under Security Directives would also be considered covered entities that are required to report under CIRCIA. <FTNT> <SU>9</SU>  89 FR 23768. </FTNT> For the surface transportation sector, TSA currently requires reporting of cyber incidents to CISA by owner/operators of certain freight railroads, passenger railroads, rail transit systems, and hazardous and natural gas pipeline facilities and systems pursuant to Security Directives issued under the authority of 49 U.S.C. 114( <E T="03">l</E> )(2). <SU>10</SU> <FTREF/> Under these Security Directives, TSA notifies owner/operators of pipeline facilities or systems directly if the requirements in the Security Directive are applicable to them. Using a risk-based approach, a small percentage within each mode of transportation are required to report cybersecurity incidents, but these entities represent a significant portion of capacity, throughput, and ridership for each of these modes. As indicated in the CIRCIA NPRM, and as described in this notice, CISA proposes that all such owners/operators of pipeline facilities and systems identified by TSA and required to report cybersecurity incidents pursuant to TSA Security Directives are considered covered entities under 6 CFR 226.2(b)(14) until TSA finalizes its Enhancing Surface Cyber Risk Management rule. <FTNT> <SU>10</SU>   <E T="03">See</E> 89 FR 23651. </FTNT> To address the concern regarding cross-referencing a regulatory section that does not currently exist, CISA is issuing this correction to remove the reference to that specific regulatory section and, instead, propose criterion to make clear that CIRCIA's description of a covered entity for pipeline facilities or systems includes any entity that is currently required by TSA to report cyber incidents under a Security Directive or is otherwise identified as required to report under TSA's final regulations. For owner/operators of pipeline facilities or systems not currently subject to reporting requirements under TSA's Security Directives, it is CISA's understanding, through consultation with TSA, that TSA intends to continue using a risk-based approach in determining entities subject to its regulations, similar to its Security Directive approach and that applicability of cyber incident reporting requirements beyond the existing Security Directives will not be substantially expanded. TSA's Security Directives indicate that approximately 100 pipeline systems are considered the most critical. <SU>11</SU> <FTREF/ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 12k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━