Skip to content

Brought to you by

Dentons logo

Government Contracts Advisor

Industry insight & analysis

open menu close menu

Government Contracts Advisor

  • Home
  • About us

CISA’s Proposed Wide-Sweeping Cyber Incident Reporting Requirements – What Government Contractors Should Know

By Phillip Seckman and Stephen Robison
May 9, 2024
  • Data and Software Rights, Patent Rights and Cybersecurity
  • Government Contracts
Share on Facebook Share on Twitter Share via email Share on LinkedIn

On April 4, 2024, the US Cybersecurity and Infrastructure Security Agency (“CISA”) published a Notice of Proposed Rulemaking (“Proposed Rule”) associated with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The proposed draft rule, coming in at 133 pages in the Federal Register, would establish two separate incident reporting requirements for companies that are a part of the US critical infrastructure. While the proposed rule, if adopted, would impact entities in many different contexts, we focus here on the potential impacts to government contractors and subcontractors.

Key Takeaways

  • The proposed rule would expand reporting obligations broadly to entities that are part of the US critical infrastructure. Using a size and sector based evaluation the proposed rule would subject an estimated 316K entities to its reporting requirements.
  • Under the proposed rule a “covered cyber incident” is reportable to CISA. What constitutes a “covered cyber incident” is likely to be hotly debated and difficult to discern, being determined by a case-by-case and fact specific impact analysis of the event, ancillary effects, disruption of business, and root cause.
  • Generally, reporting to CISA would be required within 72-hours for a covered cyber incident (defined below) and 24-hours for any ransom payment to a threat actor.
  • Four exceptions to this reporting requirement are proposed, the most relevant being when CISA maintains an information sharing agreement with an agency that also requires substantially the same timeline and similar reporting of a cyber incident.

The definition in the proposed rule that establish what “covered entities” would be impacted, the reporting obligations imposed on covered entities, what constitutes a “covered cyber incident,” the reporting exceptions, and foundational compliance measures are discussed below. In approaching these subjects, we focus on the implications for government contractors and subcontractors.

See the full article on dentons.com

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Phillip Seckman

About Phillip Seckman

Phillip Seckman represents clients concerning government and commercial contract matters. His practice spans a broad range of subjects related to federal procurement law, state and local procurement law, and complex federal regulatory issues. He concentrates his practice in the areas of commercial item acquisitions, GSA schedule contracting, cybersecurity, compliance, internal investigations, and bid protests (both federal and state). A significant component of his practice involves government contract cost allowability, proper cost accounting, and contract cost and pricing issues.

All posts Full bio

Stephen Robison

About Stephen Robison

Stephen is a member of the US Government Contracts practice where he represents clients on government contracts, federal investigations, and national security matters.

All posts Full bio

RELATED POSTS

  • Costs, Pricing, Business Systems and Appropriations Law
  • Government Contracts

2016 Financial Forum Series

By Dentons Government Contracts Group
  • Government Contracts

Updated NASA Grant and Cooperative Agreement Regulations Become Final

By Phillip Seckman
  • Government Contracts
  • UAS/Aviation Practice

FAA and DOD Release Key Documents for Contractors Developing Unmanned Systems

By Dentons Government Contracts Group

About Dentons

Redefining possibilities. Together, everywhere. For more information visit dentons.com

Grow, Protect, Operate, Finance. Dentons, the law firm of the future is here. Copyright 2023 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. Please see dentons.com for Legal notices.

Categories

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2025 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site