While higher education is not covered by a pending rulemaking on cyber incident reporting, EDUCAUSE is monitoring the process given the possibility that colleges and universities could face a similar requirement in the future.
The Cybersecurity and Infrastructure Security Agency (CISA) is preparing a proposed rulemaking that will require covered entities to report to the agency within hours certain cyber incidents and ransomware payments.Footnote1 CISA is required to initiate this process by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which is part of the Consolidated Appropriations Act of 2022 that President Biden signed into law on March 15.
As its name suggests, the requirements in CIRCIA apply to entities that fall within the Department of Homeland Security's long-established list of "critical infrastructure" sectors, which does not include higher education. Earlier iterations of the legislation would have subjected colleges and universities to cyber incident reporting requirements alongside all other "federal contractors."Footnote2 That CIRCIA was ultimately the version that hitched a ride on the must-pass defense bill relieved the higher education community of its potential place in the community regulated by CISA—at least for the time being.
Many details of the reporting requirements remain to be seen, but the law, as passed, did include some guidance and limitations for CISA to follow. A covered entity must report a "covered cyber incident" to CISA within seventy-two hours after it "reasonably believes" the incident has occurred. Additionally, covered entities must report to CISA all payments made in response to ransomware attacks within twenty-four hours after a payment has been made, regardless of whether the attack falls within the law's definition of a covered cyber incident. A covered cyber incident is defined as a "substantial" incident that "actually" jeopardizes an information system or the information contained on such a system.Footnote3 During the rulemaking process, CISA will likely provide additional details as to what constitutes a covered cyber incident.
Reports indicate that CISA will soon release a Request for Information (ROI) and organize listening sessions to gather input from the stakeholder community. Pursuant to CIRCIA, CISA must issue a Notice of Proposed Rulemaking (NPRM) within twenty-four months of enactment, and it must produce a final rule within eighteen months after releasing the NPRM. While the requirements would not take effect until the rule is finalized, CISA encourages the voluntary sharing of cyber event information and issued guidance on sharing event information in April 2022.Footnote4 The guidance lists the types of activity to share—such as unauthorized system access, ransomware attacks, and repeated attempts to gain unauthorized system access—as well as the type of details about the incident to include. Additionally, CISA is already consulting with other agencies, including the Sector Risk Management Agencies, the Department of Justice, and the newly formed Cyber Incident Reporting Council, on the rulemaking process. CIRCIA requires this cross-agency coordination.
While this regulation will not directly impact higher education, that does not mean colleges and universities will avoid facing federal cyber incident reporting requirements in the future. For example, in addition to the "federal contractor" mandate included in early versions of what became CIRCIA, which would have impacted higher education, other legislation introduced last year, specifically the Federal Information Security Modernization Act, sought to establish federal contractor and grantee responsibilities to their respective federal agencies for reporting security incidents involving agency data or systems.Footnote5 Whether this or similar language makes its way into future legislative vehicles remains to be seen. Regardless, EDUCAUSE will continue to monitor the CISA incident reporting framework and keep members apprised of notable updates.
- "CIRCIA: Cyber Incident Reporting for Critical Infrastructure Act of 2022," Cybersecurity and Infrastructure Security Agency, (website), n.d., accessed August 31. 2022. Jump back to footnote 1 in the text.
- Jarret Cummings, "Good News on Cyber Incident Reporting Bill," EDUCAUSE Review, March 25, 2022. Jump back to footnote 2 in the text.
- Consolidated Appropriations Act, 2022, Pub. L. No. 117–103, 136 Stat. 49 (March 15, 2022). Jump back to footnote 3 in the text.
- Cybersecurity and Infrastructure Security Agency, "Sharing Cyber Event Information: Observe, Act, Report," April 2022. Jump back to footnote 4 in the text.
- Federal Information Security Modernization Act of 2021, S.2902, 117th Cong., (2021–2022). Jump back to footnote 5 in the text.
Kathryn Branson is a Partner with Ulman Public Policy.
© 2022 Kathryn Branson. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.