CFSN Detailed Analysis

Share this post

CFSN Detailed Analysis
CIRCIA NPRM
Copy link
Facebook
Email
Notes
More

CIRCIA NPRM

Covered Entity

Patrick Coyle
Apr 09, 2024

Share this post

CFSN Detailed Analysis
CIRCIA NPRM
Copy link
Facebook
Email
Notes
More
1
Share

Last week, CISA published the official version of their Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (Division Y, PL 117-103) notice of proposed rulemaking (NPRM). This is part of a continuing series of posts looking at the proposed rulemaking. In this post I will be looking at how CISA is proposing to deal with the problem of implementing the CIRCIA mandated definition of the term ‘covered entity’ as it applies to these reporting requirements.

Covered Entity Definition

CIRCIA (codified at 6 USC 681-681g) defines the term ‘covered entity’ {§681(5)}: “The term ‘covered entity’ means  an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21 [link added], that satisfies the definition established by the Director in the final rule issued pursuant to section 2242(b) (§681b).” Congress had to use this broad reliance on CISA’s judgement to define the term because it has never been able to come up with a useable definition what constitutes a critical infrastructure entity.

In this NPRM, CISA defined the term ‘covered entity’ (§226.1) this way: “Covered entity means an entity that meets the criteria set forth in § 226.2 of this part.” In turn, §226.2, Applicability, provides a two-part requirement. First, the entity must be larger than the ‘small business size standard’ set forth in 13 CFR part 121. Second, the entity must meet “one or more of the sector-based criteria provided below, regardless of the specific critical infrastructure sector of which the entity considers itself to be part”. Then §226.2 goes on to list those ‘sector-based criteria’:

  • Owns or operates a covered chemical facility,

  • Provides wire or radio communications service,

  • Owns or operates critical manufacturing sector infrastructure,

  • Provides operationally critical support to the Department of Defense or processes, stores, or transmits covered defense information,

  • Performs an emergency service or function,

  • Bulk electric and distribution system entities,

  • Owns or operates financial services sector infrastructure,

  • Qualifies as a State, local, Tribal, or territorial government entity,

  • Qualifies as an education facility,

  • Involved with information and communications technology to support elections processes,

  • Provides essential public health-related services,

  • Information technology entities,

  • Owns or operates a commercial nuclear power reactor or fuel cycle Facility,

  • Transportation system entities,

  • Subject to regulation under the Maritime Transportation Security Act, or

  • Owns or operates a qualifying community water system or publicly owned treatment works.

Each of the links above takes you to a paragraph under §226.2(b) that provides a brief description of what types of facilities (frequently with reference to a controlling regulatory structure) under that general description would be classified as a ‘covered entity’. There are a more lengthy discussions in the preamble that provides additional information on how CISA reached these definitions. Those discussions, from an enforcement perspective, will be very important for courts deciding whether or not a facility should be covered by this regulation. I do not have the time, or inclination, to dig into each of those 16 discussions here. I will, however, look at the discussions about a ‘covered chemical facility’.

Owns or Operates

Before we get into that discussion, lets go back and look at the entirety of §226.2(b)(1):

“(1) Owns or operates a covered chemical facility. The entity owns or operates a covered chemical facility subject to the Chemical Facility Anti-Terrorism Standards [CFATS program] pursuant to 6 CFR part 27;”

The first phrase (‘Owns or operates’) in that opening sentence is very important as CISA explains in the discussion preceding the ‘Covered Chemical Facility’ section of the preamble:

“While these criteria are focused on certain facility types or functions as the basis of determining whether an entity is a covered entity, CISA is proposing that the entire entity (e.g., corporation, organization), and not the individual facility or function, is the covered entity.”

They go on to provide an operational chemical facility-based example:

“Thus, for example, if an entity owns 20 chemical distribution facilities, only five of which are CFATS-regulated facilities, the entire entity is the covered entity, and not simply the five CFATS-regulated facilities.”

Covered Chemical Facility

I briefly addressed the CFATS implication of this definition in a blog post on Friday. This covered only a small part of the discussion in the preamble labeled “Chemical Sector”. This will be a broader look at the entire discussion.

The discussion under ‘Covered Chemical Facility’ starts out with a discussion about the requirements and process by which CISA determines that a chemical facility (a very broad term defined operationally) is a covered facility supports the three ‘covered entity’ statutory requirements outlined in §681b(c)(1). A similar discussion would be included in each of the preamble entity discussions.

CISA then notes that there is already a cyber incident reporting requirement under the CFATS program (if/when the program is reauthorized). With CIRCIA regulations in effect, that would put two different legal reporting requirements in place for CFATS covered facilities. CISA explains how they intend to deal with that situation:

“To avoid the same entity having to report the same incident to CISA twice, CISA is proposing that submission of a cyber incident report to CISA under either one of these authorities will satisfy the incident reporting obligations for both regulations for the incident, assuming the single submission includes all the information required to comply with both CFATS and CIRCIA, independently. However, if a covered entity reports an incident to CISA per CFATS requirements and intends for this report to also meet its reporting obligations under CIRCIA, it would need to indicate that intent in the submission. Otherwise, a separate CIRCIA Report would need to be filed to meet the entity's reporting obligations.”

As I noted in my CFATS/CIRCIA post, CISA acknowledges that there is a chance that Congress will not get around to reauthorizing the CFATS program before CISA gets around to publishing the final version of this rulemaking. The preamble notes:

“Accordingly, CISA proposes that if CFATS is not reauthorized by the time the CIRCIA final rule is ready for publication, CISA instead would replace the CFATS-based Chemical Sector criterion with a Chemical Sector sector-based criterion that description identifies owners and operators of facilities subject to the EPA RMP rule as covered entities.”

The discussion then covers how the RMP program meets the statutory requirements of §681b(c)(1). CISA makes it clear, however, that it believes the CFATS criteria would be a better basis for identifying ‘covered facilities’ for the purposes of §226.2(b)(1).

CISA Questions

CISA provides two questions that they would like to see the public address in their comments on this NPRM:

  • 10. The decision to solely use the CFATS-based criterion if CFATS is in effect at the time of the issuance of the CIRCIA final rule.

  • 11. Other possible alternatives that CISA should consider as a sector-based criterion for the Chemical Sector if CFATS is not reauthorized by Congress.

The NPRM provides similar types of questions after each of the other 15 sector discussions.

Share this post

CFSN Detailed Analysis
CIRCIA NPRM
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

No posts

Ready for more?

© 2024 Patrick Coyle
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More