On March 15, 2022, President Biden signed the Consolidated Appropriations Act 2022, a spending package which includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which establishes two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report any ransomware payments to CISA and a 72-hour requirement to report all covered cyber incidents to CISA. These requirements will take effect upon the issuance of implementing regulations from the Director of CISA.
Critical infrastructure entities that believe they may be covered by the final rule may want to consider examining their internal processes to detect, identify, and respond to cyber incidents and developing a testing strategy to exercise these processes on a periodic basis. Further, as the rulemaking process will provide more granular requirements consistent with the Act, critical infrastructure entities that believe they may be covered by the final rule should continue to monitor developments in this area to understand the full scope of the requirements that are likely to be imposed through the rulemaking process and when those requirements are likely to take effect.
Source: