Regulatory and Legal Reform

Policy and Legal

Rep. Garbarino, NAM Talk CIRCIA Flaws

A draft Department of Homeland Security rule requiring that certain sectors expedite cyber-incident reporting has several shortcomings that must be addressed before the rule becomes final in the fall of 2025, the NAM told Rep. Andrew Garbarino (R-NY) in a meeting this week.

What’s going on: Rep. Garbarino, chair of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, met with manufacturers and the NAM Technology Policy Committee Tuesday to talk cybersecurity issues.

  • Much of the discussion focused on draft rulemaking published in April by the DHS’s Cybersecurity and Infrastructure Security Agency. It would require “covered entities” in “critical infrastructure sector[s]” to report any major cybersecurity incidents to CISA within 72 hours.
  • Under the Cybersecurity Incident Reporting for Critical Infrastructure Act, CISA must finalize the rule by October 2025.

Why it’s a problem: The NAM agrees with the concerns Rep. Garbarino raised with CISA, including:

  • The burden associated with imposing onerous reporting mandates on companies recovering from cyberattacks;
  • An overbroad scope, which forces into compliance both organizations that are not truly “critical infrastructure” and those that are too small to have the resources needed to complete the required actions;
  • An overbroad definition of incidents requiring reporting;
  • An excessive amount of required information;
  • An unreasonably high cost of compliance and the diversion of resources away from cyber-incident response; and
  • The risk that the proposed rule will jeopardize CISA’s role as a trusted partner of industry.

NAM in action: The NAM submitted comments in response to CISA’s proposal earlier this year outlining these concerns, as well as calling for a reduction in both the number of entities required to file incident notifications and the number of incidents they have to report.

The NAM says: “CISA needs to significantly rethink its approach to CIRCIA’s implementation,” said NAM Senior Director of Technology Policy Franck Journoud.

  • “The proposed rule requires far too much information about far too many incidents from far too many companies. CISA should not mandate that companies under attack from hackers divert precious security resources to generate mountains of incident data that CISA will not have the means to process or act upon.”

Take precautions: If you are looking to strengthen your company’s cyber protections, check out NAM Cyber Cover, an affordable, broad security program for NAM members that provides proactive monitoring with automated alerts at no extra cost.

View More