Login
CISA to host industry feedback sessions on cyber incident reporting regulation
The Cybersecurity and Infrastructure Security Agency will hold sector-by-sector town halls in the coming weeks to get feedback on a stalled regulation requiring critical infrastructure owners and operators to report when they suffer major cyberattacks.
The meeting dates, set to be published in the Federal Register Friday, would βallow external stakeholders a limited additional opportunity to provide input on refining the scope and burdenβ of a proposed rule that CISA is advancing as part of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that Congress enacted in 2022.
That law requires critical infrastructure owners and operators to notify CISA within 72 hours when they are hit with a significant cyberattack and within 24 hours when they make a ransomware payment.
But defining what entitiesΒ the law would specifically cover and how has been a point of contention. The Trump administration moved a deadline to complete the rule last year, saying it would delay finalizing the rule until May.
Among the specific topics CISA wants comment on during the virtual town halls are proposed sector-based criteria for whom the regulations apply to; how to handle small businesses; how to consider chemical plants in light of a chemical plant security law lapsing; the list of example incidents that would meet the lawβs reporting requirements; and how to reduce conflicts with existing regulations.
After the sector-by-sector meetings, CISA would hold general sessions on March 31 and April 2.
One industry source, granted anonymity to speak candidly, said they werenβt aware the additional sessions were coming until Thursdayβs Federal Register notice and it βwould have been niceβ to know it was coming.
They also told CyberScoop they werenβt sure the town halls were what CIRCIA needed right now.
βIndustry has already been very vocal about what we think needs to be addressed in the final rule,β the source said. βWe want some back and forth, give and take to better understand what CISA may view as its limitations in implementing the rule.
βAnd to me, a town hall where youβre asking for more input isnβt what we need at this point. We want a dialogue,β they said.
Speaking to reporters at a conference last week about the timeline on CIRCIA releasing a final rule, CISA official Nick Andersen said that βI think that weβll have some news on CIRCIA in pretty short order in the next couple of weeks, hopefully.β Andersen, executive assistant director for cybersecurity at the agency, said he couldnβt say more at the time on whether CISA would continue the existing rulemaking process or undertake a new one.
The post CISA to host industry feedback sessions on cyber incident reporting regulation appeared first on CyberScoop.
