It has been one year since the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law – and only a couple of weeks since the release of the 2023 National Cybersecurity Strategy. In the shadow of these cybersecurity milestones, this month CISA announced two major initiatives to address the ongoing, global ransomware epidemic.  

Background: The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) at One Year

CISA Executive Director Brandon Wales released a prescient statement, which highlighted the operational mandate of the first year of CIRCIA over that of regulation: 

“In that time, we’ve been working to implement the law thoughtfully, listening to stakeholders, and building the staffing, processes, and technology to successfully implement this groundbreaking legislation.

While those who are familiar with CIRCIA might think first of its regulatory requirements, there are also critical requirements that are more operational in nature. For example, in accordance with the law:

• CISA and the Federal Bureau of Investigation (FBI) established the Joint Ransomware Task Force (JRTF) in September 2022 to coordinate a nationwide campaign against ransomware attacks; and 
• CISA established the Ransomware Vulnerability Warning Pilot (RVWP) Program in January 2023 to identify the most common security vulnerabilities used in ransomware attacks and to identify information systems that already contain these vulnerabilities.

Together, JRTF and RVWP are making Americans safer and better equipped to handle cyber incidents.

In addition to proactively seeking out vulnerabilities, it is critical that entities that experience cyber incidents report them.  If incidents aren’t reported, we will collectively continue to suffer from a lack of certainty around the depth and breadth of the threat of cyber threat activity to America’s critical infrastructure. One of the most vital aspects of CIRCIA is that it enhances CISA’s ability to use cybersecurity incident and ransom payment information reported to the agency to spot trends in real-time, fill critical information gaps, rapidly deploy resources to help entities that are suffering from cyberattacks and share information to warn other potential victims.

In fact, reporting cyber incidents is so vitally important that CIRCIA established mandatory reporting requirements for covered entities that have experienced a covered cyber incident or made a ransom payment that will be implemented through regulation. CISA is currently working in accordance with the timeline provided by CIRCIA to develop thoughtful regulations that will become effective after a final rule is published. 

As an agency grounded in collaboration and coordination, CISA has worked hard to ensure it hears from the American people, critical infrastructure owners and operators, and other cybersecurity community members prior to developing proposed regulations. In the fall of 2022, agency staff made 10 stops from coast to coast to host in-person listening sessions and published a 60-day Request for Information (RFI) to solicit written comments. We are grateful to those who attended the in-person sessions and the approximately 130 individuals and organizations who submitted written comments in response to the RFI. Together, this feedback is helping us implement the legislation in the most effective way possible to protect the nation’s critical infrastructure. 

During that same timeframe, CISA hosted 17 virtual, sector-specific listening sessions, including one for each of the 16 critical infrastructure sectors. These listening sessions provided additional opportunities for industry partners to share their perspectives on potential approaches to implementing CIRCIA’s regulatory requirements. CISA has also been consulting closely with federal partners, including all the Sector Risk Management Agencies (SRMAs), the Department of Justice, and many other Federal Departments and Agencies that have a role in cyber incident reporting. CISA is considering the inputs received through these consultations as we develop the proposed regulations and look for ways to harmonize CIRCIA’s requirements with other existing cyber incident reporting regulatory requirements. 

While these reporting regulations will only impact covered entities and apply to covered cyber incidents and ransom payments, we encourage all critical infrastructure owners and operators to voluntarily share information on cyber incidents, phishing attempts, malware and vulnerabilities, to help prevent other organizations from falling victim to similar incidents. It’s easy to do at cisa.gov/report.  (1)

CIRCIA required CISA to Establish the Ransomware Vulnerability Warning Pilot (RVWP)

Through the Ransomware Vulnerability Warning Pilot (RVWP), which started on January 30, 2023, CISA is undertaking a new effort to warn critical infrastructure entities that their systems have exposed vulnerabilities that may be exploited by ransomware threat actors.  

As part of RVWP, CISA leverages existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks. Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur. CISA accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002.

RVWP: Frequently Asked Questions

Q: What is CIRCIA?
A: The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is federal legislation that puts in place
requirements for critical infrastructure entities to report cyber incidents and ransom payments to CISA.

Q: Why is CISA sending me a notification?
A: CISA routinely identifies security risks facing U.S. organizations, including information from government or industry partners. CISA additionally leverages commercial tools to identify organizations that may be at heightened cybersecurity risk. As required by CIRCIA, CISA proactively identifies information systems that contain security vulnerabilities commonly associated with ransomware attacks. After discovery, CISA notifies owners of the vulnerable systems.

Q: Who will notify me if I have a vulnerability?
A: CISA Regional staff members, located throughout the country, make notifications and may provide assistance and resources to mitigate the vulnerability.

Q: What can I expect in the notification?
A: Notifications will contain key information regarding the vulnerable system, such as the manufacturer and model of the device, the IP address in use, how CISA detected the vulnerability, and guidance on how the vulnerability should be mitigated.

Q: How should I expect to receive a notification?
A: CISA regional staff members will make notifications by phone call or email. (2)

Getting Ahead of the Ransomware Epidemic: The CISA Pre-Ransomware Notification Initiative

In late March, JCDC Associate Director Clayton Romans released the following announcement of the CISA Pre-Ransomware Notification Initiative:

Over the past several years, ransomware attacks have caused extraordinary harm to American organizations: schools forced to close, hospitals required to divert patients, and companies across all sectors facing operational disruption, and expending untold sums on mitigation and recovery. At CISA, we are working with partners to take every possible step to reduce the prevalence and impact of ransomware attacks. We recently announced the [Ransomware Vulnerability Warning Pilot Program] to help organizations more quickly fix vulnerabilities that are targeted by ransomware actors…we’re excited to announce a related effort that is already showing impact in actually reducing the harm from ransomware intrusions: our Pre-Ransomware Notification Initiative. Like our work to reduce the prevalence of vulnerabilities, this effort is coordinated as part of our interagency Joint Ransomware Task Force.

We know that ransomware actors often take some time after gaining initial access to a target before encrypting or stealing information, a window of time that often lasts from hours to days. This window gives us time to warn organizations that ransomware actors have gained initial access to their networks. These early warnings can enable victims to safely evict the ransomware actors from their networks before the actors have a chance to encrypt and hold critical data and systems at ransom. Early warning notifications can significantly reduce potential loss of data, impact on operations, financial ramifications, and other detrimental consequences of ransomware deployment.

This remarkable effort relies on two key elements. First, our Joint Cyber Defense Collaborative (JCDC) gets tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity. Without these tips, there are no notifications.  Any organization or individual with information about early-stage ransomware activity is urged to contact us at [email protected]. Once we receive a notification, our field personnel across the country get to work notifying the victim organization and providing specific mitigation guidance. Where a tip relates to a company outside of the United States, we work with our international CERT partners to enable a timely notification. 

Although we’re in the early days, we’re already seeing material results: since the start of 2023, we’ve notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred.

In cases where ransomware actors have already encrypted a network and are holding data and systems for ransom, JCDC works closely with the victim organizations to provide threat actor tactics, techniques, and procedures (TTPs) as well as guidance to help reduce the impact of an attack. For example, we have provided information to help identify the data that may have been exfiltrated from an affected entity’s network as well as details of the intrusion to support investigative and remediation efforts. JCDC also works with the cybersecurity research community and others to develop cybersecurity advisories on ransomware actors and variants to enable improved network defense at scale as part of our ongoing #StopRansomware campaign.

Continuing to enhance our collective cyber defense is contingent upon persistent collaboration and information sharing between partners across government and the private sector. To enable the broader cyber community to benefit from valuable threat intelligence, we urge organizations to report observed activity, including ransomware indicators of compromise and TTPs, to CISA or our federal law enforcement partners, including the FBI and the U.S. Secret Service. You can find information on ransomware reporting and view additional resources to manage ransomware risk at stopransomware.gov. (3)

About The JCDC

JCDC is a public-private cybersecurity collaborative that leverages new authorities granted by Congress in the 2021 National Defense Authorization Act to unite the global cyber community in the collective defense of cyberspace. CISA welcomes all critical infrastructure organizations and entities with cybersecurity expertise and visibility to participate in our collaboration efforts. If your organization is interested in participating in collaborative efforts to stop ransomware, please visit cisa.gov/JCDC-FAQs or email [email protected].

Direct CISA Links

• Report to CISA
• Report Ransomware:  CISA urges organizations to report observed activity, including ransomware indicators of compromise and tactics, techniques, and procedures, to CISA or our federal law enforcement partners. You can find information on reporting at stopransomware.gov.
• Ransomware Vulnerability Warning Pilot (RVWP) Fact Sheet
• CISA Establishes Ransomware Vulnerability Warning Pilot Program
• Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs

https://oodaloop.com/ooda-original/2022/05/12/cisa-granted-subpoena-power-as-cyber-incident-reporting-bill-signed-into-law/

https://oodaloop.com/archive/2023/03/03/the-ooda-network-on-the-2023-national-cybersecurity-strategy/

https://oodaloop.com/archive/2023/03/06/the-missing-piece-of-the-national-cybersecurity-strategy/

https://oodaloop.com/archive/2023/03/21/how-to-manage-cyber-risk-as-a-board-director/

https://oodaloop.com/archive/2019/02/27/securing-ai-four-areas-to-focus-on-right-now/

https://oodaloop.com/archive/2023/03/01/cisa-releases-red-team-assessment-on-critical-infrastructure/

https://oodaloop.com/archive/2023/02/22/cisa-jcdc-sets-2023-planning-agenda/