Industry trade groups still have ‘concerns’ with cyber reporting mandate

A coalition of influential infrastructure trade groups and associations want to change key definitions around an incoming cyber reporting mandate, citing long-standing “concerns” around the Cybersecurity and Infrastructure Security Agency’s engagement process and existing regulatory requirements.

In a letter to CISA Director Jen Easterly this week, 21 organizations from the communications, energy, aviation, IT, and transportation sectors, among others, asked the cyber agency to start an “ex parte” process that would apply the critical infrastructure cyber reporting mandate “in a manner consistent with congressional intent.”

“Simply put, the public record to date is insufficient, and a single round of comments in response to CISA’s [Notice of Proposed Rulemaking] will not allow the agency to effectively capture and leverage stakeholder feedback,” the letter states. “Absent increased industry engagement, CISA’s proposed regulation may inadvertently impose requirements that hinder rather than help our sectors maintain security and operational efficiency.”

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires “covered entities” with a “reasonable belief” that they experienced a “covered cyber incident” to submit a notification to CISA within 72 hours or if a ransomware demand is paid within 24 hours. The letter, signed Oct. 29, seeks to narrow the scope of those definitions.

The cyber reporting mandate, set to take effect next year, significantly expands the cyber agency’s authority, as current federal visibility of  threats to critical infrastructure is mostly voluntary and fragmented. Meanwhile, cyberattacks on critical infrastructure have increased, with nation-backed hackers and criminal ransomware gangs targeting vital services like energy, water, and telecommunications.

Members of Congress, including Rep. Yvette Clarke, D-N.Y., one of CIRCIA’s sponsors, have shared similar doubts around the rulemaking process and the proposed rule. During a congressional hearing, Clarke said that the definition of covered entities by CISA is too broad.

CISA acknowledged a request for comment from CyberScoop but did not respond in time for publication.

Many industry trade groups that signed the letter have long expressed concern that the proposed definitions are too broad in scope.

The letter is signed by ACA Connects, Airlines for America, Airports Council International, American Gas Association, American Public Power Association, American Water Works Association, Association of American Railroads, CTIA, Edison Electric Institute, Healthcare Information and Management Systems Society, Information Technology Industry Council, Internet Security Alliance, National Association of Broadcasters, National Association of Wholesaler-Distributors, National Electrical Manufacturers Association, National Rural Electric Cooperative Association, NCTA – The Internet & Television Association, NTCA –The Rural Broadband Association, Telecommunications Industry Association, U.S. Chamber of Commerce and USTelecom.