The Cybersecurity and Infrastructure Security Agency will hold sector-by-sector town halls in the coming weeks to get feedback on a stalled regulation requiring critical infrastructure owners and operators to report when they suffer major cyberattacks.
The meeting dates, set to be published in the Federal Register Friday, would “allow external stakeholders a limited additional opportunity to provide input on refining the scope and burden” of a proposed rule that CISA is advancing as part of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that Congress enacted in 2022.
That law requires critical infrastructure owners and operators to notify CISA within 72 hours when they are hit with a significant cyberattack and within 24 hours when they make a ransomware payment.
But defining what entities the law would specifically cover and how has been a point of contention. The Trump administration moved a deadline to complete the rule last year, saying it would delay finalizing the rule until May.
Among the specific topics CISA wants comment on during the virtual town halls are proposed sector-based criteria for whom the regulations apply to; how to handle small businesses; how to consider chemical plants in light of a chemical plant security law lapsing; the list of example incidents that would meet the law’s reporting requirements; and how to reduce conflicts with existing regulations.
After the sector-by-sector meetings, CISA would hold general sessions on March 31 and April 2.
One industry source, granted anonymity to speak candidly, said they weren’t aware the additional sessions were coming until Thursday’s Federal Register notice and it “would have been nice” to know it was coming.
They also told CyberScoop they weren’t sure the town halls were what CIRCIA needed right now.
“Industry has already been very vocal about what we think needs to be addressed in the final rule,” the source said. “We want some back and forth, give and take to better understand what CISA may view as its limitations in implementing the rule.
“And to me, a town hall where you’re asking for more input isn’t what we need at this point. We want a dialogue,” they said.
Speaking to reporters at a conference last week about the timeline on CIRCIA releasing a final rule, CISA official Nick Andersen said that “I think that we’ll have some news on CIRCIA in pretty short order in the next couple of weeks, hopefully.” Andersen, executive assistant director for cybersecurity at the agency, said he couldn’t say more at the time on whether CISA would continue the existing rulemaking process or undertake a new one.
The post CISA to host industry feedback sessions on cyber incident reporting regulation appeared first on CyberScoop.
–
Read More – CyberScoop
