On April 4, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a proposed rule on Cyber Incident Reporting for Critical Infrastructure Act Reporting Requirements. The rule, in alignment with the CIRCIA Act (signed into law as part of the Consolidated Appropriations Act of 2022), imposes new cyber incident and ransom payment reporting requirements for companies deemed to have responsibility for critical infrastructure.

Specifically, entities potentially covered by the rule fall under any of 16 critical infrastructure sectors. All construction contractors are likely to fall under one or more sectors, and would then be subject to the proposed rule’s requirements if they are either:

• Not a small business, as defined by the Small Business Administration’s size standards; or,
• Fall under sector-specific criteria outlined in the proposed rule. Under the Defense Industrial Base criterion, federal contractors already subject to U.S. Department of Defense cybersecurity reporting requirements would be covered.

The proposal would require that these covered entities report any substantial cyberincident within 72 hours, and any ransom payments made in response to a ransomware attack within 24 hours. A substantial cyber incident is defined as a cybersecurity breach resulting in one or more of the following:

• Substantial loss of confidentiality, integrity or availability of the entity’s information system or network
• Serious impact on the safety and resiliency of the entity’s operational systems and processes
• Disruption of the entity’s ability to engage in business or industrial operations or deliver goods or services
• Unauthorized access to the entity’s information system or network caused by a third-party data hosting provider or a supply chain compromise

The proposed rule also imposes new recordkeeping requirements related to cybersecurity. Companies that fail to fully comply with the rule would face subpoenas, and federal contractors could be subject to acquisition penalties, suspension and debarment.

More information on the rule is available on CISA’s website.

ABC will comment on the proposed regulations. The deadline for comments is July 3.

ABC has provided resources and webinars on new cybersecurity requirements affecting the construction industry at abc.org/cybersecurity.