Publication
March 18, 2022
On March 15, 2022, President Biden signed into law the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” (the Act) as part of the 2022 federal funding bill.
 
Among other things, the Act requires critical infrastructure sector entities to report cybersecurity breach incidents and ransomware payments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
 
Key Takeaways
  • The Act covers entities “in a critical infrastructure sector” as further defined by CISA’s final rule.
  • Covered entities must report covered cyber incidents to CISA within 72 hours after reasonably believing a covered incident has occurred.
  • Covered entities must report ransomware payments within 24 hours of making a payment.
  • The Act specifies enforcement authority for CISA and information protection provisions.

To read the full alert, click here.