Infrastructure providers advocate for restrictions on the reach and deadline for regulations set by CIRCIA regulations.

Infrastructure providers advocate for restrictions on the reach and deadline for regulations set by CIRCIA regulations.

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), set to take effect next year, has sparked concerns and recommendations from several key stakeholders, including TechNet, the American Gas Association (AGA), and the American Hospital Association (AHA). These organizations have raised issues regarding the complexity and fragmentation of cyber incident reporting under CIRCIA, urging harmonization and clearer, streamlined federal requirements to ease compliance burdens and improve critical infrastructure cybersecurity communication.

Concerns

The organizations have expressed concerns about regulatory fragmentation and duplication, as they face broad, overlapping, and inconsistent cybersecurity regulations in various sectors. They are particularly concerned about the cumbersome duplicative reporting requirements under CIRCIA alongside other federal and state mandates.

Another concern is the need for harmonization, as these groups emphasize the importance of aligning cyber incident reporting rules to minimize the burden on organizations and avoid multiple notifications to different federal agencies for a single incident. They acknowledge that Congress intended CIRCIA to be the main vehicle for reporting, but note uncertainty remains on how harmonization will be achieved in practice.

Implementation uncertainty is another concern, with organizations expressing worry about how CISA will implement CIRCIA’s requirements, including the specifics of what incidents must be reported, timelines, and protections around sensitive information. The planned CISA rules are in flux, causing anxiety in critical infrastructure operators about compliance.

Recommendations

The groups advocate for clear guidance and uniform reporting standards across sectors to reduce confusion and administrative overhead while ensuring timely federal awareness of cyber incidents. They recommend mechanisms to prevent multiple incident reports for the same event across different agencies and sectors to prevent overwhelming both organizations and regulators.

Collaboration on implementation is also a key recommendation, with engagement between CISA and industry stakeholders such as TechNet, AGA, and AHA to refine reporting criteria and foster trust that sensitive data will be protected to encourage robust reporting without fear of punitive consequences.

The AGA, along with the American Petroleum Institute and other energy groups, has raised concerns about CIRCIA, particularly focusing on the preliminary hours of a confirmed cyber incident that jeopardizes critical systems. Kimberly Denbow, VP, security and operations at the American Gas Association, stated that these initial hours are crucial.

The AHA is seeking a harmonization process to allow healthcare providers to submit unified reports about cyber incidents through a web portal. TechNet, on the other hand, is concerned about the potential for some providers to have critical functions operating within their organization, but not every part of the organization should be considered as critical.

In summary, these key stakeholders share concerns about the complexity and fragmentation of cyber incident reporting under CIRCIA, urging harmonization and clearer, streamlined federal requirements to ease compliance burdens and improve critical infrastructure cybersecurity communication.

1. The complexity and fragmentation of cyber incident reporting under CIRCIA has been highlighted as a concern by TechNet, the AGA, and the AHA, who are urging harmonization and clearer, streamlined federal requirements.
2. The groups have expressed worry about regulatory fragmentation and duplication, as they face broad, overlapping, and inconsistent cybersecurity regulations in various sectors and are particularly concerned about the cumbersome duplicative reporting requirements under CIRCIA alongside other federal and state mandates.
3. Collaboration on implementation is a key recommendation, with engagement between CISA and industry stakeholders such as TechNet, AGA, and AHA to refine reporting criteria and foster trust that sensitive data will be protected.
4. The AHA is seeking a harmonization process to allow healthcare providers to submit unified reports about cyber incidents through a web portal, while TechNet is concerned about the potential for some providers to have critical functions operating within their organization, but not every part of the organization should be considered as critical.

Read also: