Critical infrastructure owners and operators are now required to report cybersecurity incidents to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), after the passage of the Cyber Incident Reporting for Critical Infrastructure Act. 

The act, included within the Consolidated Appropriations Act, 2022, is one of the most significant pieces of cybersecurity legislation in the past decade. Requiring owners and operators to report significant cyber incidents and ransomware attacks to CISA within 72 hours, the legislation will bring greater visibility for the Federal government, earlier disruption of malicious cyber campaigns, and better information and threat intelligence going back out to the private sector so they can defend against future attacks.

In a statement, CISA Director Jen Easterly applauded the passage of the legislation and said it is a "game-changer," marking a critical step forward in the collective cybersecurity of the U.S. "Thanks to the support of our many partners in Congress, CISA will have the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyberattacks," Easterly said.

CISA will use these reports from private sector partners to create a common understanding of how adversaries are targeting U.S. networks and critical infrastructure. This information will fill critical information gaps and allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.