University associations express concerns about new reporting requirements for cyber incidents

A coalition of higher education associations led by ACE has raised significant concerns about the newly proposed reporting requirements of the Cyber ​​Incident Reporting for Critical Infrastructure Act (CIRCIA). The associations argue that the broad inclusion of higher education institutions as “covered entities” under the proposed rule could place an undue burden on colleges and universities.In comments to Jennie M. Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security, ACE President Ted Mitchell emphasized the impact the proposed rule would have on institutions of varying sizes, populations and missions.

“We are concerned that despite the fact that we have not previously been widely considered a ‘covered entity,’ the U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency have failed to fully engage the higher education community in developing this comprehensive proposed rule,” Mitchell wrote.

Comments highlighted the diversity of the higher education sector, which makes a consistent approach to cyber incident reporting particularly challenging.

“We are concerned that the proposed rule includes all institutions of higher education that receive Title IV student aid without regard to size, population, or other factors,” Mitchell wrote. He further argued that the lack of size limits or distinctions in the proposed rule, unlike in other sectors, would result in almost all institutions of higher education being subject to the same reporting requirements.

Comments called for further differentiation to narrow the inclusion criteria for universities under CIRCIA and for greater engagement within the university community.

As CISA continues to finalize the rule, higher education groups hope to work closely with the agency to ensure that the unique needs and challenges of the higher education sector are adequately addressed.