Energy, other critical infrastructure providers press for limits on cyber incident reporting rules

A flurry of critical infrastructure providers are making a final push to urge the Cybersecurity and Infrastructure Security Agency to place guardrails around new incident reporting requirements.  

The Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, which will go into effect next year, requires covered critical infrastructure providers to report major security breaches or attacks within 72 hours. Those entities will also have to report ransomware payments within 24 hours. 

In pushback against the proposed rule during the public comment period, which was extended to July 3, critical infrastructure providers want to limit the mandate to the most consequential security threats and to allow security teams enough time to make accurate assessments. 

TechNet, a bipartisan group of industry CEOs and senior executives, urged CISA to carefully consider what “covered entities” should be required to report these incidents and the type of “covered cybersecurity incidents” that should be disclosed. The group wants to make sure providers have enough time to accurately disclose what happened. 

TechNet is concerned that some providers may have critical functions operating within their organization, but not every part of the organization should be considered as critical. 

The American Gas Association, working in collaboration with other energy groups including the American Petroleum Institute, raised similar concerns about CIRCIA. Among the most important issues, AGA asked CISA to limit the scope of the initial reporting requirements during the first 72 hours to allow incident response teams to fully respond to the breach or attack. 

“The preliminary hours of a confirmed cyber incident that actually jeopardizes our critical systems is crucial,” Kimberly Denbow, VP, security and operations at AGA, said in a statement. “Our comments focus on ensuring the reporting requirements meet the needs of the federal government, but doesn’t hinder our mitigation and response efforts.”

The American Hospital Association said the requirements in many ways duplicated similar requirements that other federal agencies placed on the healthcare system. 

AHA is asking for a harmonization process to allow healthcare providers to submit unified reports about cyber incidents through a web portal. AHA is also seeking an exemption for small hospitals of less than 100 beds.