TLDR:
– Critical infrastructure organizations are calling for a scaled-back version of CISA’s cyber incident reporting mandate.
– Industry wants clearer terms, hard limits on information collection, and more narrowly defined definitions.
Public comments on the cyber incident reporting mandate for critical infrastructure show industry pushback against the Biden administration’s significant cyber regulation. The Cybersecurity and Infrastructure Security Agency (CISA) is reviewing feedback from various stakeholders after the proposed rule ended on Wednesday. The law aims to gather more information on cyber threats facing critical infrastructure, acknowledging the current reliance on a patchwork of regulations and voluntary reporting. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires reporting of substantial cyber incidents and ransomware payments to CISA within 24 hours.
Industry feedback focuses on defining a cyber incident, determining which organizations need to report incidents, potential consequences for non-compliance, and concerns about information sharing and safeguarding. There are calls for detailed definitions, exceptions, and clarifications on reporting requirements. Some organizations argue that existing regulations should take precedence, and resources to comply with reporting may be strained. Questions also arise about the government’s willingness to share information and safeguard sensitive data.
CISA will need to navigate these concerns as it finalizes the cyber incident reporting mandate and harmonizes reporting rules across sectors to streamline compliance and reduce redundancy.