Monday, April 8, 2024

Review - CIRCIA NPRM – Covered Entity

Last week, CISA published the official version of their Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (Division Y, PL 117-103) notice of proposed rulemaking (NPRM). This is part of a continuing series of posts looking at the proposed rulemaking. In this post I will be looking at how CISA is proposing to deal with the problem of implementing the CIRCIA mandated definition of the term ‘covered entity’ as it applies to these reporting requirements.

Covered Entity Definition

CIRCIA (codified at 6 USC 681-681g) defines the term ‘covered entity’ {§681(5)}: “The term ‘covered entity’ means  an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21 [link added], that satisfies the definition established by the Director in the final rule issued pursuant to section 2242(b) (§681b).” Congress had to use this broad reliance on CISA’s judgement to define the term because it has never been able to come up with a useable definition what constitutes a critical infrastructure entity.

In this NPRM, CISA defined the term ‘covered entity’ (§226.1) this way: “Covered entity means an entity that meets the criteria set forth in § 226.2 of this part.” In turn, §226.2, Applicability, provides a two-part requirement. First, the entity must be larger than the ‘small business size standard’ set forth in 13 CFR part 121. Second, the entity must meet “one or more of the sector-based criteria provided below, regardless of the specific critical infrastructure sector of which the entity considers itself to be part”. Then §226.2 goes on to list those ‘sector-based criteria’:

Owns or operates a covered chemical facility,

Provides wire or radio communications service,

Owns or operates critical manufacturing sector infrastructure,

Provides operationally critical support to the Department of Defense or processes, stores, or transmits covered defense information,

Performs an emergency service or function,

Bulk electric and distribution system entities,

Owns or operates financial services sector infrastructure,

Qualifies as a State, local, Tribal, or territorial government entity,

Qualifies as an education facility,

Involved with information and communications technology to support elections processes,

Provides essential public health-related services,

Information technology entities,

Owns or operates a commercial nuclear power reactor or fuel cycle Facility,

Transportation system entities,

Subject to regulation under the Maritime Transportation Security Act, or

Owns or operates a qualifying community water system or publicly owned treatment works.

Each of the links above takes you to a paragraph under §226.2(b) that provides a brief description of what types of facilities (frequently with reference to a controlling regulatory structure) under that general description would be classified as a ‘covered entity’. There are a lengthier discussions in the preamble that provide additional information on how CISA reached each of these definitions. Those discussions, from an enforcement perspective, will be very important for courts deciding whether a facility should be covered by this regulation.


For a more detailed look at how this definition specifically applies to chemical facilities, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */