ITI calls on CISA to improve CIRCIA cyber incident reporting rule – MeriTalk

Global technology industry association ITI today called on the Cybersecurity and Infrastructure Security Agency (CISA) to limit the scope of its cyber incident reporting requirements under the Cyber ​​Incident Reporting for Critical Infrastructure Act (CIRCIA).

ITI responded to the Notice of Proposed Rulemaking (NPRM) Implement CIRCIA with key recommendations, including narrowing the scope of the “covered entity” and refining the definition of “covered cyber incident.”

“Given the broad scope of the rule and the amount of information requested, we are concerned that CIRCIA in its current state will inevitably lead to overreporting of smaller and potentially out-of-scope incidents,” ITI wrote in its Comments“With such countless reports, there is a risk that important cyber trends will be lost in irrelevant data and the usefulness of the reporting system will be significantly reduced.”

“In addition, we are concerned about the broad scope of the definitions of significant cyber incident and covered entity,” it added. “The definition of covered entity is very broad, and CISA should provide further guidance to provide certainty to organizations about whether or not they are in scope as a ‘covered entity.'”

CISA formally published the proposed rule in the Federal Register on April 4 and gave the public 60 days to submit written comments. Today is the deadline for the public to submit comments to contribute to the final rule—which CISA expects to publish within 18 months of the end of the comment period.

CIRCIA – signed into law by President Biden in March 2022 – requires CISA to develop and implement regulations requiring affected companies to report cyber incidents and ransom payments to the government.

The law requires owners and operators of critical infrastructure to report certain cyber incidents to CISA within 72 hours and report ransomware payments they made to attackers within 24 hours.

The ITI calls on CISA to “take a more active role in harmonizing incident reporting requirements” and to examine whether “a unified, national reporting function is feasible.”

The ITI submission also recommends that CISA allow flexibility in reporting supplemental reports, consider the security implications associated with sharing and storing reports, and tailor the information requested in the initial report to reflect the reality that some information may not be available immediately after an incident occurs.

In addition, the Agency should maintain the liability protections provided in CIRCIA and take steps to promote reciprocity and ensure that CIRCIA provides value to the cybersecurity community.

ITI is not the only group that submitted comments today calling on CISA to improve its cyber incident reporting requirements.

The American Gas Association (AGA), in cooperation with other energy associations, has also Comments It recommends that CISA “focus exclusively on incidents that pose a real threat to operations and provide a clearer definition of what constitutes a significant cyber incident.”

Similarly, in its comments, the AGA urges the agency to “reduce the amount and refine the type of information that must be reported within the first 72 hours after an incident.”

“We recognize the criticality of our infrastructure and know it is an attractive target for malicious actors,” said Kimberly Denbow, vice president of security and operations at AGA. “The first few hours of a confirmed cyber incident that actually compromises our critical systems are critical. Our comments are focused on ensuring that reporting requirements meet federal government requirements but do not hinder our mitigation and response efforts.”