CISA cyber incident reporting rule raises industry concerns

As discussed in our previous blog post, the Cybersecurity and Infrastructure Security Agency (CISA) is proposing an important new rule to strengthen the nation’s cyber defenses through mandatory incident reporting. The rule is intended to improve CISA’s ability to monitor and respond to cyber threats, but it has sparked a controversial debate. The concerns raised underscore the delicate balance between strengthening national security and avoiding undue burdens on businesses.

Major concerns and exaggerated reporting

One of the main concerns across various industries is that the rule’s broad scope could cover over 300,000 facilities, many of which are not traditionally considered critical infrastructure. This could lead to overreporting, overloading CISA with low-value data and potentially diverting resources from combating significant threats. Critics, including Senator Gary Peters, argue for a more targeted approach that focuses on incidents with real national security implications.

In addition, the existing patchwork of over 50 federal breach reporting requirements across agencies raises concerns about redundancies and increased compliance burdens for organizations. The proposed rule could add even more complexity without necessarily improving cybersecurity outcomes.

Alarm bells in the manufacturing sector

The National Association of Manufacturers (NAM) is particularly concerned about the potential impact of the rule on its members. NAM argues that the broad definition of “covered entities” could trap numerous manufacturers operating outside of traditional critical infrastructure by burdening them with complex and costly reporting requirements that they may not be equipped to meet. NAM also criticizes the broad definition of reportable incidents and advocates for a more targeted approach that focuses on incidents that actually impact critical infrastructure and national security.

Special challenges in the healthcare sector

Healthcare and hospital groups have raised particular concerns due to the interconnected nature of their sector. They are advocating for the inclusion of insurers and third-party providers in the rule, as excluding key entities such as health IT providers and labs could cause significant disruption if they become targets of cyberattacks. The strict reporting deadlines of 24 and 72 hours are also a concern, as they could divert resources from patient care in the event of a crisis and place a financial burden on underfunded hospitals and providers. These groups have asked for financial support and technical assistance to meet the new requirements without jeopardizing patient care.

Finding a middle ground

To address these concerns, several recommendations have been proposed:

1. Rethink the scope – Focus on those entities and reportable incidents with significant impact on critical infrastructure and national security.
2. Optimize reporting – Develop a consistent reporting mechanism that is consistent with existing regulations.
3. Offer help – Offer technical and financial support to smaller businesses.
4. Clarify definitions – Clearly define key terms to avoid over-reporting and ensure consistent interpretation.
5. Flexibility – Customize reporting requirements to meet industry-specific needs, such as the need for immediate response in healthcare.

Balance between security and functionality

The debate surrounding CISA’s proposed rule underscores the challenge of balancing robust cybersecurity measures with practical, actionable compliance for businesses. Open dialogue and collaboration between CISA and industry stakeholders is critical to finding a middle ground that strengthens national security without imposing undue burdens. By addressing industry concerns and refining the rule, CISA can create a framework that effectively protects critical infrastructure while promoting a collaborative approach to cybersecurity.

Listen to this post