CISA Should Revise Draft Cyber Rule
Requirements proposed earlier this year by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency are overbroad and would prove burdensome to manufacturers if adopted, the NAM told the Biden administration last week.
What’s going on: In April, CISA published draft rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act of 2022—scheduled to go into effect next year—that would require “covered entities” in “critical infrastructure sector[s]” to report major cyber incidents to CISA within 72 hours. It also mandated that any ransomware payments be reported within just 24 hours.
Why it’s a problem: The proposed rulemaking could affect more than 300,000 entities, according to CISA’s own estimate (JD Supra). Many of these organizations are either not truly “critical infrastructure” or too small to have the resources to undertake the outlined actions in the specified time, the NAM told CISA.
- Furthermore, the regulations themselves are too expansive, mandating the reporting of incidents that do not even affect the operation of critical infrastructure.
- They also require huge amounts of information in a short period—from companies in the throes of recovery from devastating cyberattacks.
The NAM says: “[T]he NAM respectfully encourages the agency to drastically reduce the number of entities required to report, and the number of incidents they have to report,” NAM Vice President of Domestic Policy Charles Crain told the agency during the public comment period on the proposed regulation, which ended last week.
- “Doing so will ensure that CISA receives useful information about cybersecurity incidents—without overburdening manufacturers with overbroad and unworkable disclosure requirements.”
What to do: In addition to narrowing the scope of “covered entities,” CISA should revise several aspects of the rulemaking before implementing it, the NAM said. Changes should include:
- Limiting the volume of reported cyber-incident information;
- Narrowing the scope of reportable cyber incidents; and
- Lightening and safeguarding the contents of cyber-incident reports.