Last week, the Cybersecurity and Infrastructure Security Agency (CISA) held two public town hall meetings to gather additional feedback on its Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Notice of Proposed Rulemaking (NPRM), originally issued on April 4, 2024. The proposed rule would establish new federal requirements for certain critical infrastructure organizations to report significant cyber incidents and ransomware payments to CISA as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Covered entities would generally be required to report qualifying cyber incidents within 72 hours and ransomware payments within 24 hours.
During the meeting, stakeholders from multiple critical infrastructure sectors raised concerns about the proposal's reporting requirements. A common theme was the need to better align CISA's requirements with other federal reporting mandates. Participants also emphasized the importance of clearly defining what constitutes a reportable cyber incident. Many warned that if the definition is too broad, organizations may be required to report routine or minor events, creating unnecessary administrative burdens and potentially overwhelming CISA with low-value reports. Several speakers also highlighted concerns about the proposed 72-hour reporting timeline, particularly for smaller organizations that may lack dedicated cybersecurity personnel who may face challenges gathering the required information while simultaneously responding to an active cyber incident.
Water sector representatives largely reiterated comments previously raised by AMWA and other associations. A key issue is uncertainty regarding which water utilities would be considered covered entities under the rule. As currently proposed, drinking water systems serving more than 3,300 people would be subject to the reporting requirements, while other municipal service providers generally would not be covered unless they serve more than 50,000 people. In addition, because the underlying CIRCIA statute prohibits CISA from enforcing these reporting requirements against state, local, tribal, and territorial government entities, sector organizations have requested that CISA clarify that publicly owned water systems are not subject to these requirements.
AMWA will continue to monitor this rulemaking and keep members informed of any changes. Please contact Liz Jordan, Manager of Sustainability and Resilience Policy for more information.