US Chamber of Commerce, industry groups call for 30-day delay in CIRCIA rules

The U.S. Chamber of Commerce and multiple industry leaders are calling for a month-long extension of the 60-day comment period for a new incident reporting rule being issued by the top cybersecurity agency in the U.S.

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) posted the 447-page set of regulations under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) to the Federal Register, allowing the public to comment on it.

But in a letter to CIRCIA Rulemaking Team Lead at CISA Todd Klessman, the U.S. Chamber of Commerce joined with more than 20 industry groups representing banks, airlines, telecoms, railroads, hospitals and pipelines to ask for a 30-day delay to allow for more time to comb through the rules. 

“The proposed rule is extensive and intricate, reflecting the complexities inherent in addressing cybersecurity within critical infrastructure sectors. The NPRM spans nearly 500 pages. Consequently, its length and depth necessitate a comprehensive review process to ensure that all stakeholders fully understand its implications,” the organizations said. 

“Additionally, given the potential impact of this rule, affecting every critical infrastructure sector, and possibly serving as a model and hub for other reporting requirements, this additional time is crucial. It will allow organizations to thoroughly evaluate the proposed requirements, identify potential challenges, and propose effective solutions that prioritize both security and operational continuity.”

The letter adds that this is CISA’s “first time regulating all critical infrastructure sectors through a formal rule” and will establish precedent. An extra 30 days, according to the groups, would “promote a more informed rulemaking process, ultimately resulting in stronger rule, a better process for reporting, and a strong public-private partnership.”

The law mandating the rules was passed in 2022 and is intended to improve the government’s ability to track incidents and ransomware payments. 

CIRCIA mandates that certain critical infrastructure organizations report cyber incidents within 72 hours and ransomware payments within 24 hours. The incidents covered by the law include ones that “lead to substantial harm or pose a significant threat to the organization's ability to function or to national security, public health, or safety.”

Ari Schwartz, coordinator for the Cybersecurity Coalition that signed onto the letter, told Recorded Future News that CISA itself admitted that the rules implement a “notification regime on well over 350,000 organizations all of whom (other than some in the chemical sector) do not think of CISA as one of their regulators.”

He added that it “goes far beyond the traditional members of the critical infrastructure entities to non-small companies in critical infrastructure sectors.”

“The regulation took CISA over two years to write, including this draft which took 18 months.  We are not asking them to delay the issuance of the final regulation, but for three months to respond to it in order to be able to organize all of those who don’t yet necessarily know they are subject to it," he said. 

"There are many areas that need to be discussed including the definition of a covered entity; how the data will be used; whether the regulatory harmonization section is workable and the penalties for not filing on time."

When asked for comment, CISA directed Recorded Future News to an FAQ the agency released after the rule was unveiled. 

The agency explained that it provided 60 days for comments because CISA only has 18 months from the date of publication of the regulations to issue the final rule, based on the statutory requirement provided by Congress.

CISA said in the document that it “believes that a 60-day comment period provides stakeholders with adequate time to review and provide comments on the proposed rule while ensuring CISA has sufficient time complete the rulemaking process in the statutorily provided timeframe.” 

CISA added that it has already done “extensive public engagement” on the rule with the private sector, making the 60-day timeframe “manageable.” The public engagement included hosting 10 in-person public listening sessions, virtual sessions and publishing a request for information before the rule was compiled. 

The signatories of the letter — which includes the American Bankers Association, National Retail Federation, Airlines for America, Association of American Railroads, Federation of American Hospitals and the Nuclear Energy Institute — declined to comment on CISA’s response.