WASHINGTON – Global tech trade association ITI submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA)’s Request for Information on the Cyber incident Reporting Act of 2022 (CIRCIA) as the agency works to develop the rulemaking which will implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). In its comments submitted Monday, ITI offered a series of initial recommendations to help CISA further hone the rulemaking, including on scoping the definition of “covered entities” and what constitutes a “covered cyber incident,” and offering information on the global cybersecurity incident reporting landscape in order to prevent fragmentation of reporting across borders.

“We encourage CISA, as it develops the rulemaking to implement CIRCIA 2022, to not only examine the existing federal, state, and local incident reporting landscape, but also the international landscape, as there is significant need for alignment across borders,” ITI wrote in the comments. “Further, ITI members encourage CISA to emphasize the security objectives of CIRCIA’s when developing and implementing the law as it will set a regulatory standard that should inform other federal agencies reporting or disclosure obligations. We also think it important to highlight that in order for the regime to be effective, CISA must triangulate the scope of regulatory coverage, reporting requirements, and processes to ensure that it has the resources, capacity, and capabilities necessary to provide meaningful value to covered entities and the broader cybersecurity community from the information reporting under CIRCIA.”

In its comments, ITI urges CISA to tailor the scope of “covered entities” by: basing the definition of covered entities on a national criticality assessment; excluding third-parties from the scope; ensuring the adoption of common terminology across the interagency; finalize ongoing critical infrastructure programs; creating an exception for entities that are already subject to similar cyber incident reporting requirements in other sectors; scoping “covered entities” to include only U.S.-based subsidiaries of multinational companies and only a company’s offerings that constitute critical infrastructure; and finally, excluding manufacturers of consumer products from the scope.

ITI also urges CISA to tailor the definition of “covered cyber incident” by: limiting reporting to severe and significant attacks that cause actual disruption or loss and include specific parameters; focusing on the impacts of an incident or the cybersecurity consequences of an incident; emphasizing incidents that have impacts to cross-sector dependencies or ubiquitously used platforms; setting a de minimis threshold when considering the functional or information impacts of an incident; and limiting the definition to events that occur on U.S. based networks

The comments build upon ITI’s ongoing cybersecurity incident reporting advocacy. In October 2022, ITI released its Global Cybersecurity Incident Reporting Policy Index which provides a summary of cybersecurity incident reporting measures across the globe. In September 2021, ITI published Global Policy Principles for Security Incident Reporting to help policymakers worldwide as they seek to develop an effective and efficient security incident notification regime. In July 2021, ITI published Principles for Security Incident Reporting in the U.S., first-of-their-kind recommendations designed to help inform U.S. policymakers as they seek to develop a security incident notification regime.

Read the full comments here.

Related [Cybersecurity, Public Sector]