Skip to main content

Voices. Knowledge. Solutions.

Cyber Incident Reporting for Critical Infrastructure Act of 2022

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 was included in the signed Consolidated Appropriations Act of 2022. The law requires the reporting of certain cyber incidents by covered entities.  

The Act requires covered entities to report a covered cyber incident to the Cybersecurity and Infrastructure Security Agency no later than 72 hours after the entity believes that the cyber incident occurred.  

Covered entities are 16 critical infrastructure industries defined by Presidential Policy Directive 21. They include emergency services, energy, government facilities, information technology, transportation systems, and water and wastewater systems. 
A covered cyber incident is defined as an occurrence that jeopardizes — without lawful authority — the integrity, confidentiality or availability of information on an information system. The reported information should include: 

  • identification and a description of the function of the affected information systems, networks that were, or are reasonably believed to have been affected by such cyber incident; 
  • a description of the unauthorized access with substantial loss of confidentiality, integrity, or availability of the affected information systems or network or disruption of business or industrial operations; 
  • the estimated date range of such incident; and 
  • the impact to the operations of the covered entity.
A covered entity must report ransom payments made as result of a ransomware attack. It must make the report no later than 24 hours after the ransom payment has occurred. Covered entities must promptly report supplemental information if substantial new or different information becomes available, or if the entity makes a ransom payment after submitting a covered cyber incident report. All data relevant to the cyber incident or ransom payment must be preserved by the covered entity. 

The Cybersecurity and Infrastructure Security Agency will use the data reported to render assistance to victims, spot trends within the data and share information to network defenders. It will also improve how CISA advises the public on mitigating emerging threats. 

Read the text of the act to learn more.