Industry trade groups still have ‘concerns’ with cyber reporting mandate

A coalition of influential infrastructure trade groups and associations want to change key definitions around an incoming cyber reporting mandate, citing long-standing “concerns” around the Cybersecurity and Infrastructure Security Agency’s engagement process and existing regulatory requirements.

In a letter to CISA Director Jen Easterly this week, 21 organizations from the communications, energy, aviation, IT, and transportation sectors, among others, asked the cyber agency to start an “ex parte” process that would apply the critical infrastructure cyber reporting mandate “in a manner consistent with congressional intent.”

“Simply put, the public record to date is insufficient, and a single round of comments in response to CISA’s [Notice of Proposed Rulemaking] will not allow the agency to effectively capture and leverage stakeholder feedback,” the letter states. “Absent increased industry engagement, CISA’s proposed regulation may inadvertently impose requirements that hinder rather than help our sectors maintain security and operational efficiency.”

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires “covered entities” with a “reasonable belief” that they experienced a “covered cyber incident” to submit a notification to CISA within 72 hours or if a ransomware demand is paid within 24 hours. The letter, signed Oct. 29, seeks to narrow the scope of those definitions.

The cyber reporting mandate, set to take effect next year, significantly expands the cyber agency’s authority, as current federal visibility of  threats to critical infrastructure is mostly voluntary and fragmented. Meanwhile, cyberattacks on critical infrastructure have increased, with nation-backed hackers and criminal ransomware gangs targeting vital services like energy, water, and telecommunications.

Members of Congress, including Rep. Yvette Clarke, D-N.Y., one of CIRCIA’s sponsors, have shared similar doubts around the rulemaking process and the proposed rule. During a congressional hearing, Clarke said that the definition of covered entities by CISA is too broad.

A CISA spokesperson said in a statement to CyberScoop that the agency “is committed to hearing from the American people, critical infrastructure owners and operators, and other community members to help shape the regulation to improve our collective security. We welcomed feedback on the CIRCIA Notice of Proposed Rulemaking and are reviewing and adjudicating the comments. These efforts will continue as we work through the … deliberative process of implementing CIRCIA consistent with authorities given to us by Congress in the Final Rule.”

Many industry trade groups that signed the letter have long expressed concern that the proposed definitions are too broad in scope.

The letter is signed by the ACA Connects, Airlines for America, Airports Council International, American Gas Association, American Public Power Association, American Water Works Association, Association of American Railroads, CTIA, Edison Electric Institute, Healthcare Information and Management Systems Society, Information Technology Industry Council, Internet Security Alliance, National Association of Broadcasters, National Association of Wholesaler-Distributors, National Electrical Manufacturers Association, National Rural Electric Cooperative Association, NCTA – The Internet & Television Association, NTCA –The Rural Broadband Association, Telecommunications Industry Association, U.S. Chamber of Commerce and USTelecom.

This story was updated Nov. 1, 2024, with comments from a CISA spokesperson.