What is CIRCA?

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCA) is a mandate that requires companies to report any significant cyber incidents to the Department of Homeland Security (DHS). This aims to enhance the security of the nation’s critical infrastructure. This includes everything from power plants to financial institutions.

While the mandate is primarily aimed at large companies that operate critical infrastructure, it also affects small and medium-sized businesses (SMBs). The reason for this is that SMBs often provide services or products to these larger entities. SMBs may be less aware of the requirements and implications of CIRCA, but compliance is essential to ensure the security of the nation’s critical infrastructure.

What is CIRCA?

CIRCA is a relatively new law that requires companies to report any significant cyber incidents to the Department of Homeland Security (DHS) within 24 hours of discovery. The definition of a significant cyber incident is broad and includes any incident that may cause harm to the confidentiality, integrity, or availability of critical infrastructure information systems or networks.

The law requires that companies provide specific information to the DHS. This includes the type of incident, the date and time of discovery, the systems or networks affected, and the potential impact of the incident. Companies are also required to provide updates to the DHS as the incident progresses and to cooperate with any investigations or remediation efforts.

How Does CIRCA Affect SMBs?

SMBs that provide services or products to critical infrastructure entities may be required to comply with CIRCA. For example, a small IT company that supports a power plant would need to comply with the reporting requirements if it discovered a significant cyber incident on the power plant’s systems.

Compliance with CIRCA may be more challenging for SMBs than for larger companies due to limited resources and expertise. However, failure to comply with CIRCA can result in penalties, fines, and reputational damage.

Work to Ensure CIRCA Compliance

1. Understand the reporting requirements. Be familiar with the reporting requirements under CIRCA. This includes the types of incidents that need to be reported, the information that needs to be provided, and the timeline for reporting.
2. Assess cybersecurity risks. SMBs should conduct a risk assessment to identify potential cybersecurity risks and vulnerabilities, identifying those that may affect critical infrastructure entities they work with.
3. Implement cybersecurity measures: SMBs should implement appropriate cybersecurity measures to mitigate identified risks and vulnerabilities, such as firewalls, intrusion detection systems, and employee training.
4. Develop an incident response plan. SMBs should develop an incident response plan that includes procedures for detecting, reporting, and responding to significant cyber incidents.
5. Stay informed. SMBs should stay informed about changes to CIRCA and other cybersecurity regulations and best practices to ensure ongoing compliance.

Compliance with CIRCA is important for everyone. And it should not be overlooked by the SMBs that provide services or products to critical infrastructure entities.

If you need help understanding reporting requirements, assessing cybersecurity risks, or implementing appropriate measures, contact us today.