The proposed regulation in the NPRM applies to all organizations that are not considered “small businesses” as defined by the US Small Business Administration, except for small businesses that are considered “high-risk,” such as critical access hospitals in rural areas, owners and operators of nuclear facilities, and central school districts.
In its 450-page NPRM, CISA details an array of complex rules that it will likely further refine before the final regulation is released and seeks comment from all interested parties. The following sections highlight the cornerstones of CISA’s proposed rules, distilling some of the essential features.
What incidents to report and when
CISA proposes defining a cyber incident as “an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system.”
CISA proposes to define a covered cyber incident, meaning one that must be reported under the new rules, as one that meets any of the following substantiality thresholds:
- A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network.
- A serious impact on the safety and resiliency of a covered entity’s operational systems and processes,
- A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services.
- Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.
CISA notes that these conditions apply regardless of the cause of the incident, which might include the compromise of a cloud service provider, managed service provider, or other third-party data hosting provider, a supply chain compromise, a denial-of-service attack, a ransomware attack, or exploitation of a zero-day vulnerability.
It’s important to note that an incident needs to meet only one of the four prongs, not all four of the prongs, for it to qualify as a substantial cyber incident. Moreover, CISA proposes to include all types of systems, networks, or technologies, not just those deemed critical, in determining whether a substantial incident has occurred.