A top Department of Homeland Security official says DHS is working to harmonize new cyber incident reporting rules, as industry and even some lawmakers criticize the draft rule’s scope and potential duplicative requirements.

The comment period for the Cybersecurity and Infrastructure Security Agency’s draft rule closed July 3. The proposal would implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. CISA expects to finalize the rule next spring. The rules will require organizations across the 16 critical infrastructure sectors to report cyber incidents to CISA within 72 hours.

Iranga Kahangama, DHS assistant secretary for cyber, infrastructure, risk, and resilience, said officials are just starting to adjudicate all the feedback it received. But Kahangama acknowledged widespread comments from industry about the “burden” of duplicative cyber incident rules.

“We are going to be viewing and administering CIRCIA with an eye towards harmonization,” Kahangama said during a July 10 event in Washington hosted by the Homeland Security Defense Forum. “We’re also establishing conversations between the department and all the other agencies that have cyber reporting requirements to identify ways that we can harmonize reporting.”

He pointed to interagency agreements that “allow for reciprocal sharing of information such that … a report to one will count as a report to another and vice versa through CISA.”

“We want to make sure we’re maximizing the ability to do that,” Kahangama said. “That’s quite complicated, because each agency has different requirements. And so you need to make sure that they’re substantially similar enough and that those are fleshed out. But those are really wonky but interesting conversations that my office is actively having right now as we develop CIRCIA.”

‘Overly broad’ criticisms

CISA received several hundred public comments on the draft rule ahead of a July 3 deadline. Many commenters called on CISA to boost its harmonization efforts. DHS has previously reported that there are 45 different federal cyber incident reporting requirements in place across 22 federal agencies.

The Information Technology Industry Council, for instance, called on CISA to take a more “assertive role” in bringing together different rules, including those under the Federal Acquisition Regulation.

“It is encouraging that CISA has noted this issue and created the process for CIRCIA agreements,” ITI wrote in its comments. “Nonetheless, we encourage CISA to take a more proactive role in harmonizing incident reporting requirements, particularly through the [Cyber Incident Reporting Council], to converge incident reporting, and explore whether a single, national reporting function is feasible.”

ITI and other commenters have also criticized CISA’s rule for being overly broad. Even some lawmakers have pushed back on CISA’s proposal.

Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.), an architect of the CIRCIA law, is among the critics. Peters said the proposed rule “is overbroad and needs additional clarity in the definitions for covered incident, covered entity, and others used in the proposed rule.”

“CISA has said that it expects to receive 200,000 reports a year, but given the broad definitions, I am concerned that number may be higher than CISA’s estimate,” Peters wrote to CISA. “Under these new requirements, in 2025, thousands of businesses will have to report cyber incidents to the government, and I want to make sure this will not mean that CISA would be able to properly ingest, triage, and analyze the reported information and use the data to improve cybersecurity recommendations and support critical infrastructure.”

House Homeland Security Committee cybersecurity subcommittee Chairman Andrew Garbarino (R-N.Y.) derided the proposed rule for applying to too many entities. “Congress did not intend for CISA to subject so many entities to its reporting requirements,” Garbarino wrote to CISA Director Jen Easterly.

Garbarino also said CISA would be requesting too much data from organizations. He called the amount of information sought “tremendous – and at times, unrealistic.”

Cyber incident data

While Kahangama didn’t respond directly to those comments, he emphasized that DHS’s overarching goal is “not simply just to aggregate data.”

“It’s not simply to do a land grab of getting the most amount of information possible,” he said. “It’s to get the right amount of information in the right format, that can be best utilized to maximize prevention, security and resilience in the space.”

Kahangama said DHS and CISA will make decisions about the incident reporting requirements “through those lenses.”

“I do want to emphasize that a lot of the decisions we will make will obviously be in response to the public comments,” he said. “But it’s not simply about getting data. It’s about getting the right kind of data in the right context. So we look forward to continue to work with folks on that and putting out some more information in due course.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.