Proposed Cybersecurity Regulation Uncertain Under Trump Administration

On March 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) authorized the Cybersecurity and Infrastructure Security Agency (“CISA”) to promulgate regulations that would require certain entities in critical infrastructure sectors to report cyber incidents and ransom payments. CIRCIA aims to enhance national security and cybersecurity resilience by improving situational awareness, threat analysis, information sharing, and incident response across the federal government and the private sector. CISA published the proposed regulation in April 2024, and the public comment period ended on July 3, 2024.

Key features of the proposed regulation include:

• Defining Terminology:
  • A covered entity includes entities that meet certain size, sector, or function-based criteria, such as having annual revenues of $100 million or more, operating in one of the 16 critical infrastructure sectors, or providing certain information technology or operational technology services.
  • A covered cyber incident is any cyber incident having a serious impact to (1) the safety and resiliency of the covered entity’s operational systems and processes, (2) the availability or integrity of data or information essential to the covered entity’s operations, or (3) the covered entity’s ability to provide essential goods or services.
• Establishing Reporting Requirements:
  • A covered entity must submit a covered cyber incident report within 72 hours of reasonably believing that a covered cyber incident has occurred, a ransom payment report within 24 hours of making a ransom payment in response to a ransomware attack, a joint covered cyber incident and ransom payment report if both apply, and a supplemental report if substantial new or different information is discovered after submitting a previous report.
  • Certain reporting exceptions exist, including, for example, situations where a covered entity reports substantially similar information in a substantially similar timeframe to another federal agency pursuant to an existing law, regulation, or contract and a CIRCIA agreement is in place between CISA and the other federal agency.
• Mandating Preservation Requirements:
  • A covered entity must preserve data and records relevant to the reported covered cyber incident or ransom payment for two years from the date of submission of the initial report, in a format or form that can be readily accessed and used by the covered entity or CISA, and in a manner that protects the data and records from unauthorized access, use, modification, or disclosure.
• Creating Enforcement Mechanisms:
  • CISA may, for example, make a request for information from a covered entity, issue a subpoena to compel the disclosure of information, and refer the matter to the Attorney General to bring a civil action to enforce a subpoena.

CISA is expected to publish the final rule by October 2025, with a later effective date. However, this proposed regulation may change based on the priorities of the incoming administration.

First, President-elect Donald Trump, who created CISA in 2018 as part of the Cybersecurity and Infrastructure Security Agency Act, has recognized the need for cybersecurity vigilance, especially in the wake of major cyberattacks such as the SolarWinds and Colonial Pipeline incidents. However, he has also been known for reducing regulatory burdens on businesses and promoting economic growth. Many stakeholders have complained that the mandatory reporting requirement under CIRCIA creates a heavy burden on private companies, especially small and medium-sized enterprises, and may discourage them from reporting incidents or seeking assistance from CISA.

Second, another factor that may affect the regulation’s fate is the resignation of Jen Easterly, who has been at the helm of CISA since 2021 and has been a strong advocate for CIRCIA. Trump has not yet announced his pick for Easterly’s replacement, but has announced that he intends to nominate Kristi Noem, the governor of South Dakota, to be the head of the Department of Homeland Security (“DHS”). CISA falls under the ambit of the DHS. And Noem has taken a strong stance on the need for cybersecurity and has supported efforts to protect critical infrastructure in South Dakota. Under her leadership, South Dakota has implemented several initiatives to enhance its cybersecurity posture, including the establishment of a state cybersecurity task force and partnerships with private sector entities to improve cyber resilience.

Third, another headwind for CIRCIA’s regulation is the expected formation of the Department of Government Efficiency (“DOGE”), a presidential advisory commission that Trump has proposed to streamline and consolidate federal functions and eliminate waste and duplication. CISA has been in the crosshairs of critics who say it has overstepped its original mandate and has become too bureaucratic and intrusive. CISA is unlikely to go away, but its proposed regulations under CIRCIA could see changes or delays as part of the DOGE’s review and reorganization process.

What This Means for You

Companies should determine whether they fall under the current definition of “covered entity” and thus will be subject to mandatory reporting and preservation requirements, if any, if the final rule is promulgated without significant changes. If you are not a covered entity, but you interact with or depend on covered entities, you should also be alert to the possible impacts of the regulation on your cybersecurity and business operations. You may benefit from increased information sharing and coordination with CISA and covered entities, but you may also face increased risks or liabilities if covered entities fail to report or respond to cyber incidents or ransom payments.

V&E assists clients in identifying, managing, and mitigating data privacy and cybersecurity risks, from early planning and assessment to managing incident response and resulting litigation.