Global tech trade association ITI called on the Cybersecurity and Infrastructure Security Agency (CISA) today to narrow the scope of its cyber incident reporting rule for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
ITI responded to CISA’s Notice of Proposed Rulemaking (NPRM) to implement CIRCIA with key recommendations, including narrowing the scope of “covered entity” and refining the definition of “covered cyber incident.”
“Given the broad scope of the rule and the amount of information requested, we are concerned that CIRCIA in its current state will inevitably lead to overreporting of minor and potentially out of scope incidents,” ITI wrote in its comments. “Such myriad reports will risk burying significant cyber trends in irrelevant data, and significantly decrease the benefit of the reporting scheme.”
“Further, we are concerned about the broad scope of the definitions of substantial cyber incident and covered entity,” it added. “The definition of covered entity is very broad, and CISA should provide further guidance to provide certainty to companies as to whether or not they are in scope as a ‘covered entity.’”
CISA officially published the proposed rule to the Federal Register on April 4, giving the public 60 days to submit written comments. Today is the deadline for the public to submit comments to help inform the final rule – which CISA expects to publish within 18 months of the close of the comment period.
CIRCIA – signed into law by President Biden in March 2022 – requires CISA to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments to the government.
Under the law, critical infrastructure owners and operators are obligated to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments they made to attackers within 24 hours.
ITI is encouraging CISA “to take a more proactive role in harmonizing incident reporting requirements,” and explore whether “a single, national reporting function is feasible.”
ITI’s submission also recommends that CISA allow for flexibility around supplemental reporting, consider the security implications associated with sharing and storing reports, and tailor the information requested in the initial report to reflect the reality that some information may not be available right after an incident occurs.
It also wants the agency to uphold the liability protections provided in CIRCIA, as well as take steps to foster reciprocity and ensure that CIRCIA provides value to the cybersecurity community.
ITI is not the only group to submit comments today asking CISA to improve its cyber incident reporting rule.
The American Gas Association (AGA), in collaboration with other energy trade associations, also submitted comments that recommend CISA “focus solely on incidents that pose a real threat to operations and provide a clearer definition of what constitutes a substantial cyber incident.”
Similarly, the AGA’s comments also call on the agency to “reduce the quantity and refine the type of information required to be reported within the first 72 hours of an incident.”
“We recognize the criticality of our infrastructure and that it is an attractive target for bad actors,” said AGA Vice President of Security and Operations Kimberly Denbow. “The preliminary hours of a confirmed cyber incident that actually jeopardizes our critical systems is crucial. Our comments focus on ensuring the reporting requirements meet the needs of the Federal government but does not hinder our mitigation and response efforts.”