The Cybersecurity and Infrastructure Security Agency (CISA) is facing calls to harmonize cyber incident reporting requirements to reduce burdens on organizations. Commenters have emphasized the need for alignment with reporting requirements from other regulatory bodies, including the Federal Communications Commission (FCC) and the Securities and Exchange Commission (SEC), which are still evolving. Concerns about potential overlap with other governments’ reporting requirements, such as the European Union’s General Data Privacy Regulation (GDPR) and state-level breach reporting requirements, have also been raised.
One organization that has acknowledged the need for harmonization is the National Association of Manufacturers. They have highlighted that the 72-hour reporting deadline proposed by CISA is consistent with the GDPR data breach standard. However, they have cautioned against labor-intensive reporting requirements that would divert a company’s internal resources from responding to an attack and add unnecessary complexity to the situation.
In the power sector, several commenters have pointed out the already extensive reporting requirements imposed on electricity providers. These include regimes overseen by the Department of Energy (DOE) and the Federal Energy Regulatory Commission (FERC). The American Public Power Association (APPA) and the Large Public Power Council (LPPC) have emphasized the importance of consulting with FERC and DOE as CISA implements its Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). They have also stressed the need to take into account existing data breach reporting requirements at the state level. These organizations argue that working with existing infrastructures would allow for single-point reporting, with the government responsible for sharing information internally in a need-to-know environment. This approach would prevent imposing multiple reporting obligations on impacted entities, which may already be dealing with a live cybersecurity event.
Aside from harmonization, commenters have also raised concerns about flexibility and confidentiality in the submission of cyber incident reports to CISA. The North American Electric Reliability Corporation has advised CISA to require covered entities to clearly identify that they are reporting an incident under CIRCIA. This would distinguish it from voluntary sharing and allow for the development of an automated mechanism to confirm receipt of a CIRCIA report. The National Rural Electric Cooperative Association has emphasized the need for flexibility in how reports are submitted, including the use of machine-to-machine and other reporting methods. They have also suggested that CISA should align with the current structure of the electricity subsector regarding content and submission procedure.
Confidentiality of the reports is another crucial aspect raised by commenters. The NCTA has highlighted that much of the information reported to CISA under CIRCIA will be highly confidential and competitively sensitive. To address this concern, they have urged CISA to consider treating incident reports as covered by DHS’s PCII Program or an equivalent program. The PCII Program establishes uniform procedures for the receipt, care, and storage of critical infrastructure information submitted to DHS. This would protect sensitive data from disclosure through Freedom of Information Act (FOIA) requests, state and local disclosure laws, use in regulatory proceedings, and use in civil actions.
In conclusion, there is a consensus among commenters that CISA needs to harmonize its cyber incident reporting requirements with those of other regulatory bodies to reduce the burdens on organizations. Concerns about potential overlap with existing reporting requirements and the need for flexibility and confidentiality have also been expressed. By addressing these concerns, CISA can ensure that the reporting process is streamlined and efficient while also protecting sensitive information.