The Cyber Incident Reporting for Critical Infrastructure Act of 2022 and its Applicability to Water and Wastewater Systems

The act, approved by the House of Representatives on March 9, 2022 and the Senate on March 10, amends the Homeland Security Act of 2002 (6 U.S.C. 651) to require covered critical infrastructure owners and operators to report defined cyber incidents to DHS’ Cybersecurity Information and Security Agency (CISA) within 72 hours of having a reasonable belief that an incident has occurred. While the legislation makes no reference to drinking water or wastewater utilities, it is highly likely that at least some systems will meet the definition of “covered entities” subject to the law, when CISA completes its rulemaking.