USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields
As noted in 2.1 Scope of Critical Infrastruc- ture Cybersecurity Regulation , in addition to the forthcoming CIRCIA requirements, there have already been sector-specific notification requirements in place for quite some time. Those include the following. • Energy sector – the NERC, under FERC oversight, requires Bulk Electric System (BES) entities to report cybersecurity incidents that could impact reliability, including operational disruptions, unauthorized access, or attempt - ed compromises, with notification timelines based on the severity of the incident. The most severe incidents (those that successfully compromise BES Cyber Systems and impact reliability) must be reported to the Electric - ity Information Sharing and Analysis Center (E-ISAC) and CISA within one hour of deter - mination. • Water and waste water systems sector – under the AWIA, water utilities must notify local emergency planning committees of any disruptions affecting service delivery, includ - ing those caused by cybersecurity incidents. • Nuclear sector – the NRC requires immedi - ate notification of cyber-incidents that com - promise digital systems essential to nuclear safety, security, or emergency preparedness. • Transportation systems sector – the TSA requires pipeline, rail and aviation operators to report identified categories of cybersecu - rity incidents within 24 hours and conduct post-incident reviews. • Healthcare sector – see 6.3 Cybersecurity in the Healthcare Sector . • Financial services sector – see 3. Financial Sector Operational Resilience Regulation (in particular, 3.1 Scope of Financial Sector Operational Resilience Regulation) .
• DIB – contractors handling CUI must report cyber-incidents to the Department of Defense
(DoD) within 72 hours of discovery. 2.4 State Responsibilities and Obligations
State governments play a critical role in enhanc - ing resilience and identifying threats to critical infrastructure within their jurisdictions. While the federal government provides overarching guid - ance and regulatory frameworks, states often act as the frontline co-ordinators for implement - ing resilience strategies, facilitating information sharing, and supporting critical infrastructure owners and operators. Resilience Responsibilities State responsibilities when it comes to enhanc - ing the cyber-resilience of critical infrastructure are as follows. • Development of statewide cybersecurity strategies – many states have established cybersecurity offices or task forces to develop and implement strategies aimed at strengthening the resilience of public and private critical infrastructure. These strate - gies often align with federal initiatives, such as the NIST Cybersecurity Framework, while addressing state-specific risks and priorities. • Incident response co-ordination – states frequently serve as co-ordinators for incident response efforts through their state fusion centres and emergency operations centres. These entities work closely with CISA, local governments, and private-sector stakehold - ers to respond to and recover from cyber- incidents. • Infrastructure resilience grants and pro - grammes – states administer federal grant programmes, such as the State and Local Cybersecurity Grant Program, to fund pro -
350 CHAMBERS.COM
Powered by FlippingBook