July 3, 2024
Todd Klessman
CIRCIA Rulemaking Team Lead
Cybersecurity and Infrastructure Security Agency
245 Murray Ln., SW
Washington, DC 20528
Submitted via regulations.gov
RE: Feedback on the proposed rule on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), docket number CISA-2022-0010
The Operational Technology Cybersecurity Coalition (OTCC) appreciates the opportunity to submit feedback on the proposed rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This proposed rule represents one of the first cross-sector reporting requirements for critical infrastructure by the Federal government, and as such, will have wide-ranging impacts on critical infrastructure owners, operators, and those who provide services to them. Therefore, it is important to ensure that the rules and requirements are properly scoped so that the government gets the information it needs to achieve the goals of the statute without overburdening companies in the midst of responding to a cyberattack.
Definition of Covered Entity
In considering the definition of entity as it applies to CIRCIA, CISA includes erroneous terms like “partnership” and “association. . . regardless of governance model that has legal standing and is uniquely identifiable from other entities. The organizational structure or nomenclature chosen by the entity does not matter as long as it is a structure that imports legal presence or standing in the United States.”1 As a 501(c)(6), OTCC is concerned that this interpretation as it applies to CIRCIA is too broad, and should be limited only to individuals, companies, or service-providing organizations. For example, this could include electric and water co-operatives, but not professional services associations or coalitions.
Further, it is important to ensure that CIRCIA reports are made by covered entities who are the owners and operators of critical infrastructure and not the vendors and third-party service or technology providers in order to protect the supply chain partnerships critical to the cybersecurity ecosystem. It therefore follows that “covered entities” should be a subset of critical infrastructure owners and operators whose services are most at risk of cyber-attacks that can cause severe and significant actual disruption or loss to national security and essential infrastructure necessary for public health, safety, communications, and financial operations.
OTCC is also concerned by the overly broad definition of “covered entity.” In the proposed rule, the definition of covered entity is any entity in a critical infrastructure sector above the small business threshold or that meets sector-based criteria. This appears to indicate that not only are owners and operators of critical infrastructure considered covered entities but could also include organizations or companies that merely exist within the sector. We believe this definition requires further narrowing.
Operational Technology
OTCC agrees with the proposed rule’s finding that operational technology (OT) is encompassed in the definition of “information system” contained within 6 U.S.C. 650(14). That definition includes “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.” This captures key components of OT but represents a non-exhaustive list of those components. OTCC also concurs with the inclusion of the words “operational technology systems” within the definition in the rule’s efforts to avoid any misinterpretations about whether OT is encompassed by the CIRCIA definition of information systems.
However, OTCC disagrees with the decision to require incident reporting of all breaches of OT original equipment manufacturers (OEMs), vendors, and integrators by defining them as covered entities in the Information Technology sector.4 As with CIRCIA’s treatment of Information Technology (IT) in the proposed rule, if everything is critical, nothing is critical. The proposed rule recognizes this for IT and has a multi-step process that enables companies to determine whether they must report a breach of IT products and services. A similar approach must be taken with OT.
CIRCIA requires CISA to review covered cyber incidents that are “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States.” A blanket requirement for all OT OEMs, vendors, and integrators does not meet that test. Instead, it requires small OT entities that might not have a significant impact or physical consequences on the operations of critical infrastructure or the health and safety of Americans to spend critical time and dollars reporting to the government on incidents that have no significant impact on national security.
In determining the applicability of CIRICA for IT reporting requirements based on the size of an entity, the proposed rule applied three prongs of cybersecurity risk, including consequence (impact on national security, economic security, and public health and safety), risk (likelihood of being targeted, especially by state actors), and vulnerability (threat to reliable operation of critical infrastructure). A comparable approach must be taken with OT.
In addition, CIRCIA itself directs that the rule must take into consideration certain criteria:5
The sophistication or novelty of the tactics used to perpetrate such a cyber incident, as well as the type, volume, and sensitivity of the data at issue;
The number of individuals directly or indirectly affected or potentially affected by such a cyber incident; and
The potential impacts on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.
A blanket application of reporting requirements to OT OEMs, vendors, and integrators does not reflect those considerations.
Not all OT assets and systems pose equal risks. Excluding OT OEMs, vendors, and integrators with minimal impact on national security or large populations would allow CISA to focus resources where they matter most and insulate small OT companies from spending precious time and resources on reporting requirements that provide CISA with minimal benefit. Exemptions for low-risk OT entities would prevent unnecessary administrative overhead and allow CISA to concentrate on high-impact incidents.
Definition of Covered Cyber Incident
In defining a covered cyber incident, CISA applies multiple layers of logic, first seeking to define a “cyber incident.” CIRCIA makes clear how this term should be defined.6 However, CISA notes that in order to define a “covered cyber incident,” CISA must first define the term “substantial cyber incident,” as referenced in CIRCIA, but not otherwise defined in Federal statute.7 In doing so, “covered cyber incidents” in the proposed rule adopt the definition of a “substantial cyber incident.”8
The definition of a “substantial cyber incident” aims to narrow the reporting requirements for the definition of a “covered incidents” to incidents that have significant impacts. CIRCIA defines this as a substantial loss of confidentiality, integrity, or availability of a covered entity's information systems, serious impacts on operational systems and processes, disruptions to business or industrial operations, or unauthorized access to nonpublic information due to compromises in third-party services or supply chains. CIRCIA also includes incidents from various sources such as cloud service providers, managed service providers, supply chain compromises, denial-of-service attacks, ransomware attacks, or exploitation of zero-day vulnerabilities.9
CISA's efforts to refine reporting criteria are appreciated, but OTCC does not believe the current definition adequately considers the criticality of the network or system to the covered entity, the physical impact, or the severity of the disruption. For instance, it should specify that the affected system or network must be critical to the entity's operations; should limit reporting to critical systems and processes; should focus on severe disruptions to critical operations, as not all business disruptions have meaningful impacts; and should require reporting of supply chain compromises only if they result in a substantial impact on the covered entity itself.
Additionally, the definition of a supply chain compromise is unclear, leading to excessive and repetitive reporting on vulnerabilities without meaningful impacts. OTCC recommends that covered entities should not be required to report vulnerabilities within third-party providers unless these vulnerabilities result in actual impacts to networks or devices.
As mentioned above in the context of OT, the proposed rule does not incorporate requirements in CIRCIA that the rule take into consideration the sophistication or novelty of the tactics used to perpetrate such a cyber incident, as well as the type, volume, and sensitivity of the data at issue.10 Specifically, the statute states:
“(c) Elements
“The final rule issued pursuant to subsection (b) shall be composed of the following elements:
“[…]
“(2) A clear description of the types of substantial cyber incidents that constitute covered cyber incidents, which shall—
[…]
“(B) consider—
“(I) the sophistication or novelty of the tactics used to perpetrate such a cyber incident, as well as the type, volume, and sensitivity of the data at issue….”
The use of the word “shall” in the sections preceding “consider” does not suggest that it is for CISA to consider whether novelty or tactics are a critical part of the rule, but an issue for the covered entities to consider when determining whether they are experiencing a “substantial cyber incident.” The rule should be updated to reflect that.
Finally, OTCC seeks clarity on whether reporting requirements pertain only to systems and impacts within the U.S. or if they extend to substantial cyber incidents affecting covered entities globally.
Reporting Harmonization
CIRCIA requires the Secretary of Homeland Security, in consultation with relevant government agencies to “coordinate, deconflict, and harmonize Federal incident reporting requirements, including those issued through regulations.”11 However, the proposed rule only refers to future plans to work with Sector Risk Management Agencies (SRMAs) to harmonize reporting requirements. The lack of any demonstrated progress in negotiating this harmonization leaves open concerns that agreements and harmonization will really be achievable in critical infrastructure sectors. Instead, it creates a scenario where CISA is asking the private sector to trust that it will reach mutual incident sharing agreements with SRMAs to harmonize reporting requirements and timelines that are undefined. Absent evidence of progress in these negotiations, this places an unreasonable burden on the private sector to trust that the Federal government will find itself capable of harmonizing cyber incident reporting requirements.
The June 2024 report by the Office of the National Cyber Director included three key findings:
The lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens, often compliance spending drew resources from cybersecurity programs.
Challenges with cybersecurity regulatory harmonization and reciprocity extend to businesses of all sectors and sizes and that they cross jurisdictional boundaries. It highlighted inconsistent or duplicative requirements across international and state regulatory regimes.
The U.S. Government is positioned to act to address these challenges. Respondents provided numerous suggestions for how the Administration and Congress could act to increase harmonization and reciprocity.
These findings make clear that even within the Federal government, there remain significant hurdles to harmonizing reporting requirements. This raises real concerns about whether CISA can achieve the harmonization agreements described in the proposed rule.
Additionally, and related to the question about whether CIRCIA’s reporting requirements only pertain to domestic or global incidents, OTCC strongly encourages CISA and the Department of Homeland Security (DHS) to continue working with their European partners to refine both the rules related to CIRCIA and the European Union’s NIS 2 Directive. As the joint comparative assessment of the reporting requirements under CIRCIA and the NIS 2 Directive shows, there are substantive differences in the two approaches.12 OTCC encourages DHS and CISA to continue efforts to harmonize global reporting requirements, including the efforts to align CIRCIA and the NIS 2 Directive.
Irrelevant Criteria and Excessive Reporting Requirements
The proposed rule makes admitted assumptions about Congressional intent that will ultimately require entities that do not have a significant impact on U.S. national or economic security to expend resources to report incidents that are not significant. In fact, the noticed proposed rule is contradictory, but telling in this sense. The notice acknowledges “the limitations Congress imposed on the term covered cyber incident which defines the types of incidents that must be reported under the proposed rule,”13 but uses this as a justification to over index on covered entities in order to “receive a sufficient number of reports to achieve these regulatory goals.”14 None of this is supported by either CIRCIA or any supporting comments by members of Congress.
Additionally, the proposed rule makes assumptions about an entity’s ability to report, and the value of that reporting that are not supported by CIRCIA. The proposed rule assumes that large entities are more likely to have mature cybersecurity capabilities, as well as resources to bring in outside entities, and are therefore more capable of detecting signs of compromise. Because of those resources, the proposed rule assumes that these entities are better able to report incidents within the time period required under CISA. And because of their resources, CISA assumes that larger entities are more capable of absorbing the costs associated with incident reporting.15
CISA provides no evidence for any of these assumptions, and beyond the reporting volume that CISA is explicitly seeking but is not demonstrably necessary, there is nothing in CIRCIA that supports these assumptions.
Data Management and Protection
The reporting requirements outlined in the proposed rule demand a significant amount of trust by reporting entities in the capability of the Federal Government to protect what will certainly include sensitive data.
OTCC agrees with CISA’s proposal that it establish a single web-based form through which covered entities can report covered cyber incidents.16 Functionally, this makes sense and allowing for identity management on the portal which supports registration of covered entities reduces friction for entities that have to report incidents. However, the reporting portal is only one piece of the system of systems necessary to receive the reports and execute CISA’s requirements as described in CIRCIA.
CIRCIA is explicit about the ways in which data should be ingested and used by CISA; however, neither the proposed rule nor current CISA operations demonstrate a process through which companies can be confident that the sensitive, and possibly proprietary information that they provide will be appropriately secured, minimized, or used once it is transmitted to the Federal government.
As of yet, neither CISA nor the Department of Homeland Security have demonstrated the ability to securely receive, index, record, analyze, assess, and store the information shared with it. The information included in incident reports could include sensitive information, depending on the type of cybersecurity incident that is reported.
Because DHS and CISA have demonstrated no reliable capability to securely accept, assess, and report cyber threats to the wider public, there is a significant trust gap between the private sector and the requirements that it share sensitive personal or private sector data with CISA in the event of a covered cyber breach. Without that, companies cannot be confident that the data it shares with the Federal government will be protected and secured in the ways that U.S. citizens and companies expect.
As a result, the proposed rule also leaves open a number of questions related to how CIRCIA plans to treat the data it receives as a result of CIRCIA, most of which can be dealt with through internal procedures. However, answers to these questions are important for the private sector to know that there are substantive internal processes and procedures for protecting private sector information provided through CIRCIA. For example:
What are CISA’s actual procedures for minimizing and protecting sensitive information through CIRCIA regulations?
What penalties will employees face for violating these procedures?
Will there be a formal process for determining which US governmental agencies and departments these reports will be shared with? If so, what is that?
What is CISA’s retention period for the reports it produces as a result of CIRCIA?
The proposed rule and the discussion included along with it do not address these significant steps needed to provide the private sector with confidence that CISA will instate adequate internal procedures to protect the information shared with CISA in accordance with CIRCIA.
Conclusion
Again, OTCC appreciates the opportunity to provide feedback on the proposed rule. CIRCIA represents the first major cross-sector cybersecurity regulation by the Federal government, and it is critical that this rulemaking process is used to get it right.
Thank you for the opportunity to comment on this proposed rule. OTCC stands ready to collaborate with CISA on this as it moves toward a final rule.
Sincerely,
Andrew Howell
Executive Director, OTCC