CISA wants ‘high-quality feedback’ for another month on CIRCIA rule

The window to provide feedback on a proposed cyber incident reporting rule was extended following multiple requests from industry, according to a senior Cybersecurity and Infrastructure Security Agency official.

Last month, CISA posted a set of regulations under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) to the Federal Register, allowing the public to comment on it. Days later, the U.S. Chamber of Commerce and other industry leaders petitioned the agency to lengthen the initial 60-day comment period. CISA did so late last week.

“We've received a number of requests to extend it and, in the interest of supporting the community out there, we decided to give them an extra 30 days,” Brandon Wales, CISA’s executive director, told reporters on Tuesday during a roundtable discussion at the RSA Conference in San Francisco.

The comment period will now close on July 3. The regulations are intended to improve the government’s ability to track cybersecurity incidents and ransomware payments. 

It’s unlikely CISA will prolong the deadline again, as the 2022 law that mandated the rule stipulated that once the comment period closes, the agency has 18 months to finalize the regulations. Congress will then have 60 days to review the rules before they become effective.

If the window is extended multiple times, it’s possible that industry groups opposed to the regulation might try to game the system and submit their feedback later and later in the process, in turn hamstringing CISA’s ability to ingest responses.

“We are actively hoping that we get good, high-quality feedback from critical infrastructure so that we can make sure that the final rule is as good as it can be, and helps us meet the intent of the program,”  Wales said, noting the extension requests spanned multiple industries, including energy and information technology.

CIRCIA mandates that certain critical infrastructure organizations report cyber incidents within 72 hours and ransomware payments within 24 hours.

In a congressional hearing last week on the draft rule, industry representatives and lawmakers on both sides of the aisle expressed concern that CISA had already gone too far and would place onerous restrictions on critical infrastructure entities.

“It is imperative that we get the CIRCIA rule right," said Rep. Andrew Garbarino (R-NY), the chair of the Homeland Security Committee's cyber panel. 

"CIRCIA should serve as the standard, not another regulation standing in the way of effective cyberdefense."

Read More: Live updates from the 2024 RSA Conference