Page 24 - Cyber Defense eMagazine September 2022
P. 24
To date, CISA has not released specific information about the nature of cyberattacks to be reported, but
the agency has indicated that it will expand the traditional definition of ‘critical infrastructure’ to include at
a minimum 16 Critical Infrastructure Sectors defined in a 2013 Presidential Policy Directive:
• Chemical
• Commercial Facilities
• Communications
• Critical Manufacturing
• Dams
• Defense Industrial Base
• Emergency Services
• Energy
• Financial Services
• Food & Agriculture
• Government Facilities
• Healthcare and Public Health
• Information Technology
• Nuclear Reactors, Materials, and Waste
• Transportation Systems
• Water and Wastewater Systems
To further define the industries covered, several sectors include subsectors. For example, the commercial
facilities sector includes seven subsectors covering, among others, casinos, stadiums, retail centers, and
malls under the rationale that they constitute “sites that draw large crowds of people,” but without defining
what “large” is. Other sectors define covered activities instead of relying on subsectors.
Together, the 16 Sectors represent a significant expansion of what was once considered critical. For
instance, they cover the entire food supply chain from farms to restaurants and grocery stores, water and
electric utilities, retail banking, and telecommunication networks, including internet access providers and
cell phone networks. The law gives CISA wide latitude to expand the list of covered entities within and
beyond the 16 Sectors, whether it is by adding new covered activities or subsectors to an existing Sector,
or adding a new Sector altogether.
Most medium and large businesses may want to review the list of Critical Infrastructure Sectors, publicly
available on the CISA’s web site. While many covered activities and terms are subject to further
clarification, a review of CISA’s rational for labelling a sector as critical may help in determining the
likelihood that a business will be required to report cyber incidents. To encourage disclosure and assuage
concerns about releasing potentially sensitive business data, the law includes protections against legal
liability and freedom of information requests for companies that report to CISA.
Organizations that have implemented NIST or another Cyber Security Framework (CSF) should already
have processes in place to triage and investigate security incidents, identify external stakeholders, and
disseminate relevant information. Once CISA publishes details implementing the act, these organizations
will need to update their existing processes to cover areas required under the new law that weren’t
included in the original framework, including:
Cyber Defense eMagazine – September 2022 Edition 24
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.