Will New Cybersecurity Mandate Impact Critical Infrastructure Sectors?

November 1, 2024

A coalition of 21 infrastructure trade groups, including those representing the communications, energy, aviation, IT, and transportation sectors, has expressed significant concerns about the upcoming cybersecurity reporting mandate. This mandate, part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), requires entities with a “reasonable belief” of a “covered cyber incident” to notify the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, or within 24 hours if a ransomware demand is paid. In a letter to CISA Director Jen Easterly, these organizations urged for an “ex parte” process to better align the mandate’s implementation with congressional intent and allow for more robust industry feedback.

Coalition’s Criticism on Engagement Process

Insufficiency of Single Round of Comments

The coalition criticized the current engagement process as insufficient, arguing that a single round of comments on the Notice of Proposed Rulemaking (NPRM) would not capture all necessary stakeholder feedback. They stressed that without increased industry participation, the proposed regulation might inadvertently hinder the sectors’ security and operational efficiency. According to the coalition, engaging multiple rounds of comments would allow a more comprehensive understanding of the challenges faced by various industries, leading to a more balanced regulatory framework that does not compromise functionality or security.

Moreover, the groups believe that CISA’s streamlined approach to gathering feedback does not allow for meaningful dialogue between the agency and various stakeholders. The diverse nature of the critical infrastructure sector means that a one-size-fits-all regulation could impose significant burdens on smaller entities that may lack the resources to comply. As such, the coalition’s call for an “ex parte” process aims to ensure that all voices are heard and adequately considered before finalizing any regulations, better aligning with legislative intent and providing a more practical approach to cybersecurity.

Broad Definitions in the Mandate

Concerns were also raised about the broad definitions used in the mandate, echoing sentiments shared by lawmakers like Rep. Yvette Clarke. Clarke believes that the definition of “covered entities” is too expansive, potentially encompassing too many organizations and imposing onerous requirements. The coalition fears such broad definitions would inevitably result in over-reporting, thereby overwhelming CISA with incident notifications and diluting the agency’s ability to respond effectively to genuine cyber threats.

The coalition highlighted the need for a more precise definition of what constitutes a “covered cyber incident” and who falls under the category of “covered entities.” They argue that a narrower focus would help prioritize the most critical threats, ensuring that limited resources are deployed where they are needed most. This would not only enhance the overall security landscape but also allow affected organizations to concentrate on mitigating significant risks rather than fulfilling cumbersome reporting obligations.

Diverse Sector Perspectives

Call for Enhanced Engagement

Signatories of the letter include notable organizations such as ACA Connects, Airlines for America, the American Gas Association, the National Association of Broadcasters, and the U.S. Chamber of Commerce. These groups have historically voiced unease over broad regulatory definitions and now seek a more detailed, industry-aligned approach to enhance national cybersecurity without impeding operational capabilities. By emphasizing the importance of an ongoing feedback loop, these organizations hope to create a more flexible and responsive regulatory environment that can adapt to evolving threats without stifling innovation or operational functionality.

A CISA spokesperson responded, emphasizing the agency’s commitment to refining the regulation through ongoing feedback and ensuring the final rule aligns with legislative authority. The agency plans to continue its outreach efforts, seeking input from various stakeholders, and adjusting the mandate as necessary to address industry concerns. This ongoing dialogue is essential for developing a regulatory framework that balances national security interests with the practical realities faced by critical infrastructure sectors.

Balancing National Cybersecurity and Operational Efficiency

A group of 21 infrastructure trade associations, including those from the communications, energy, aviation, IT, and transportation sectors, has voiced serious concerns about an upcoming cybersecurity reporting mandate. This mandate, stemming from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), requires entities that have a “reasonable belief” of experiencing a “covered cyber incident” to inform the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The timeframe shortens to 24 hours if a ransomware payment is made. In a letter to CISA Director Jen Easterly, these organizations have called for an “ex parte” process. This process would help ensure the mandate’s implementation aligns more closely with congressional intent and allows for more thorough feedback from the industry. They believe that this approach will enable a more practical, industry-informed execution of the cybersecurity requirements, thereby enhancing both compliance and security outcomes.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later