The Cybersecurity and Infrastructure Security Agency wants critical infrastructure partners’ feedback on the scope of its cyber-incident reporting regulation as the agency homes in on a final version of the long-awaited rule.
In a notice set for publication in the Federal Register on Friday, CISA announced a series of town hall meetings where different sectors will be able to share their thoughts about the pending rule, which Congress required in the 2022 Cyber Incident Reporting for Critical Infrastructure Act.
A draft version of the CIRCIA rule, published in April 2024, gave covered infrastructure operators 72 hours to report substantial cyber incidents to the government. Business groups and some lawmakers objected to the scope of the information that companies would need to report, as well as to the breadth of companies covered under the regulation.
In its new announcement, CISA said it “appreciates stakeholders’ interest and concern that CISA implement CIRCIA to maximize its impact on improving our nation’s cybersecurity posture while minimizing unnecessary burden to entities in critical infrastructure sectors.”
The agency wants infrastructure operators to share “specific, actionable improvements” to CIRCIA that “clarify or reduce” the burden of the planned reporting requirement while still giving the government ample information about the cyber-threat landscape.
CISA said it was particularly interested in feedback on certain aspects of the rule, including the information required in incident reports, the use of size-based criteria to determine which companies to include and the subpoena process that CISA could use to acquire information from recalcitrant companies.
CISA also wants to know whether the rule should require cloud vendors, managed service providers or other infrastructure operators to report incidents involving open-source code they use.
In addition, the agency said it wants to know whether its sector-based lists of covered entities are missing any important categories of infrastructure operators.
CISA will hold seven town-hall meetings to gather input on the CIRCIA rule.
Five of those meetings will take place in March: one for the chemical, water, dams, energy and nuclear sectors (March 9); one for commercial facilities, manufacturing and food and agriculture (March 12); one for emergency services, government facilities and healthcare (March 17); one for communications, transportation and financial services (March 18); one for defense contractors and information technology companies (March 19); and one general session for any interested organizations (March 31). The agency will then hold a second general session on April 2.
CISA expects each town-hall meeting to last up to two hours and will limit each speaker’s time to roughly three minutes. The agency said it will record and transcribe the meetings and post the transcripts in the CIRCIA rulemaking docket.
“CISA will not be able to share nonpublic or deliberative information about the CIRCIA rulemaking during meetings,” the announcement warned, “nor will CISA be able to commit to resolving policy issues impacting or impacted by the rulemaking in a specific manner.”
CISA has spent the past several years sifting through a mountain of stakeholder input on the appropriate scope for the cyber incident reporting rule. An initial Request for Information yielded 130 comments, roughly 730 people attended more than a dozen sector-specific listening sessions and a 90-day public comment period on the draft rule generated approximately 300 comments.
“CISA remains committed to working within the rulemaking process to enable stakeholders to provide input as CISA finalizes the rulemaking to strike an appropriate balance of costs and benefits,” the agency said in its announcement.
While CISA did not commit to reopening the public comment period on the draft rule, it said it “may elect to do so in the future if CISA determines that doing so is warranted.”
