Harmonize cyber incident reporting requirements to reduce burdens
The one area of consensus among most of the commenters is that CISA should take great care to align their reporting requirements with those from other regulatory bodies, some of which, such as those from the Federal Communications Commission (FCC) and the Securities and Exchange Commission (SEC), are still evolving. Most also point to potential overlap with other governments’ reporting requirements, including the European Union’s General Data Privacy Regulation (GDPR) and state-level breach reporting requirements.
The National Association of Manufacturers acknowledges the 72-hour reporting deadline is consistent with the GDPR data breach standard, adding that “Any labor-intensive reporting requirements would divert a company’s internal resources from responding to an attack and add unnecessary layer to an already complex situation.”
Several commenters in the power sector point to the already extensive reporting requirements applied to electricity providers, including regimes overseen by the Department of Energy (DOE) and the Federal Energy Regulatory Commission (FERC). The American Public Power Association (APPA), and the Large Public Power Council (LPPC) said, for example, “Given the existing incident reporting regimes overseen by FERC and DOE, CISA should engage in direct and deep consultation with FERC and DOE as it works to implement CIRCIA. Moreover, CISA must take into account existing data breach reporting requirements at the state level. To improve the threat landscape and associated awareness of it, it will be critical to work with existing infrastructures wherever possible to allow single-point reporting with the government being responsible for sharing information internally in a need-to-know environment, rather than imposing multiple reporting obligations on an impacted entity, which may also be dealing with a live cybersecurity event.”
Flexibility and confidentiality for cyber incident report submissions
In terms of how covered incidents should submit reports to CISA, the commenters touched on a range of topics, including whether organizations can report through third parties such as information sharing and analysis centers (ISACs), how they receive report submission confirmations, and the degree to which CISA will keep any reports confidential.
The North American Electric Reliability Corporation advised CISA to require covered entities to clearly identify that they are reporting an incident under CIRCIA, as opposed to a voluntary share, and develop an automated mechanism to confirm receipt of a CIRCIA report from a covered entity or a third party on behalf of a covered entity.
The National Rural Electric Cooperative Association said that CISA should be flexible in how reports are submitted, including machine-to-machine and other reporting methods, and asks CISA to use the current structure of the electricity subsector regarding content and submission procedure.
Some commenters expressed concerns over how CISA could keep the reports confidential. NCTA, for example, said, “Much of the information reported to CISA under CIRCIA will be highly confidential and competitively sensitive. To protect such information, CISA should consider treating incident reports as covered either by DHS’s PCII Program or an equivalent program. The PCII Program establishes uniform procedures for the receipt, care, and storage of critical infrastructure information submitted to DHS to protect sensitive data against disclosure through FOIA requests, state and local disclosure laws, use in regulatory proceedings, and use in civil actions.”