CISA’s Proposed Rule for Critical Infrastructure Cyber Incident Reporting: Analysis of Key Provisions

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 will likely be the most sweeping cybersecurity incident notification regulation in the United States to date, covering entities of various sizes across many sectors. The U.S. Cybersecurity and Infrastructure Security Agency published its much-anticipated Notice of Proposed Rulemaking (Proposed Rule) last month. In this first installment of a two-part guest article series, Covington & Burling attorneys examine the Proposed Rule’s key provisions, including what entities and incidents are covered, and time, manner and content of reports. Part two will discuss data and records preservation requirements, limited exceptions and enforcement mechanisms. It also will summarize the next steps for the proposed rulemaking and offer practical compliance measures companies can begin to implement now. See the Cybersecurity Law Report’s two-part series on the new era of cyber incident reporting and cybersecurity regulation: “Key Provisions” (Oct. 12, 2022), and “How Companies Should Prepare and Engage” (Oct. 19, 2022).

To read the full article

Continue reading your article with a CSLR subscription.