The Cloud Service Providers-Advisory Board (CSP-AB) is honored to engage with the Cybersecurity and Infrastructure Security Agency (CISA) on the proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This critical framework establishes cyber incident and ransom payment reporting requirements for covered entities, a vital step toward safeguarding the nation’s critical infrastructure against evolving cyber threats.
Aligning with CIRCIA’s Vision
The CSP-AB commends CISA’s dedication to enhancing national security through robust reporting mechanisms. Early identification of malicious campaigns and analysis of long-term trends are crucial to bolstering the nation’s cybersecurity posture. The CSP-AB also applauds CISA’s decision to extend the public comment period, demonstrating its commitment to thorough stakeholder engagement.
Key Areas for Improvement
While supportive of the proposal, the CSP-AB recommends specific amendments to ensure the framework effectively targets critical incidents without imposing undue burdens:
- Refining the Definition of Covered Entities:
- Current size-based criteria risk capturing a disproportionately broad set of organizations. The CSP-AB urges a sector-based approach that aligns with the statutory definition of critical infrastructure, ensuring clarity and precision.
- Narrowing the Scope of Substantial Cyber Incidents:
- The proposed definition risks overwhelming entities and public resources by requiring reporting for a wide array of incidents. The CSP-AB suggests:
- Adding specificity to what constitutes a “substantial loss.”
- Limiting reporting to incidents impacting critical infrastructure sectors.
- Targeting only substantial and material disruptions.
- The proposed definition risks overwhelming entities and public resources by requiring reporting for a wide array of incidents. The CSP-AB suggests:
- Avoiding Redundant Reporting:
- The inclusion of FedRAMP-authorized CSPs in the reporting requirements duplicates existing processes. A carve-out or reciprocity agreement with FedRAMP would prevent unnecessary inefficiencies.
- Enhancing Data Safeguards:
- CISA should clarify how sensitive information from incident reports will be protected and shared with other agencies. The CSP-AB recommends allowing entities to redact personal victim data to uphold privacy.
Balancing Enforcement and Compliance
The CSP-AB supports accountability measures but advises caution regarding disbarment for non-compliance. A punitive approach risks discouraging transparency and cooperation. Enforcement should focus on repeated, intentional violations rather than isolated missteps.
Looking Ahead
The CSP-AB appreciates the opportunity to contribute to this vital rulemaking process and is committed to collaborating with CISA to refine the proposal. Together, we can create a secure, resilient infrastructure that protects the nation against emerging cyber threats.
For the full CSP-AB response to CIRCIA’s Notice of Proposed Rulemaking, click here.
Call to Action: Stakeholders across industries are encouraged to review the proposed rulemaking and provide their feedback. Let’s work together to build a safer digital future for critical infrastructure and beyond.
