The Information Technology Industry Council (ITIC) has responded to a CISA Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) regarding the scope of CIRCIA incident reporting requirements. In its response ITIC writes, “CISA should develop criteria based on criticality assessment to national and economic security when entities are performing national critical functions. Such an approach should be encouraged to narrow down when entities are truly carrying out national critical functions that matter to national security, such as satellite communications, versus commercial use cases. If a system is not reasonably tied to a critical function at the national level, then it should not be covered.”
Note
- Most of the comments are focused on more definition in the draft language where squishy terms like “covered entity,” “covered incident” and “reasonable belief” were used and that is needed. There are 16 “Critical” Infrastructure sectors defined by CISA but what would be considered a “critical” incident within one of those sectors needs better definition, much the way the SEC had to provide guidance on what constitutes a “material event” that would require financial reporting.
- This comes down to signal to noise ratio. Understanding what is reporting and what matters is key. In our own shops, we already know what is most critical and categorize the types of events which matter. The risk is missing events which may be early indicators or possibly indications of a wider spread problem than anticipated. If you’re having trouble getting your arms around how to categorize what’s critical, take a look at the PDF to get some ideas for down-selecting and refining your approach.
- Prevention, prevention, prevention. Mandatory reporting starts as admiration of the problem and rapidly turns into expensive boiler plate.
Read more in
