On March 1, 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act), which requires covered entities to report certain cyber incidents. The Act requires covered entities that experience a covered cyber incident to report the incident to the Cybersecurity and Infrastructure Security Agency (CISA) no later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.

These requirements are meant to provide greater cybersecurity visibility for the federal government. The requirements will go into effect once the rule is published in the Federal Register, after going through the formal rulemaking process.

Act Overview

An entity will be covered by and required to report under this Act if it is in a critical infrastructure section. An infrastructure system or asset is critical if it is vital to the United States that its incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

In addition, a covered entity that makes a ransom payment as the result of a ransomware attack against must report the payment to the CISA no later than 24 hours after the ransom payment has been made. This requirement applies even if the ransomware attack is not a covered cyber incident subject to the 72-hour reporting requirement.

The Act requirements do not apply to covered entities or their functions if the CISA determines they constitute critical infrastructure owned, operated or governed by multi-stakeholder organizations.

Next Steps

Covered entities should review the Act’s requirements and continue to monitor the Federal Register for an update on the Act’s effective date.


This Legal Update is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. ©2022 All rights reserved.