CISA Extends Comment Period on CIRCIA Rules
Probably your first question is what the heck is CIRCIA.
CIRCIA is a law passed by Congress in 2022 that requires CISA to create a set of regulations for reporting cyber incidents by critical infrastructure operators.
Needless to say, those operators would much rather have a very low profile and report things only if and when they choose to.
CISA’s rules under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is currently in the public comment period, which was supposed to last 60 days.
Congress gave CISA over a year to write the rules and then another 18 months to finalize them after the comment period and then Congress has 60 days to cancel the whole thing. Welcome to Washington.
Now the comment period will last 90 days instead of 60 days and end on July 3rd.
CIRCIA mandates that certain critical infrastructure report cyber incidents in 72 hours and ransomware payments in 24 hours. Given that lawyers love to sue, companies would much rather have 72 days or even 720 days (we have seen both of these) to figure out how to spin the attack.
In a congressional hearing last week, industry spin doctors said that there are already too many cooks in the kitchen, which is actually probably accurate. CIRCIA did not eliminate any reporting or monitoring rules; it is just adding more.
On the other hand, the electric industry is basically self regulated. There is a federal regulator (FERC), but it has really turned over the regulation process to an industry trade group (NERC). The water industry has no security regulator at all. EPA tried, but the courts said no and the Republican controlled House refused to give EPA the authority to review and regulate the industry’s cybersecurity practices.
So at this point, critical infrastructure continues to get hacked and by sheer luck, at least until now, we have not had any major catastrophes.
How long our luck will hold is not clear. The FBI has already admitted that our adversaries have wormed their way into the systems of our critical infrastructure and are still there. The thinking is that they want to be in position to take out key pieces of our critical infrastructure whenever they choose to.
In the mean time, industry and Washington are arguing about what to do. Welcome to our world. Details at The Record and the law firm of Mayer Brown