The Information Technology Industry Council has published recommendations to the Cybersecurity and Infrastructure Security Agency’s rulemaking process for the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
In response to CISA’s request for information, ITI urged the security agency to examine the domestic and international incident reporting landscape in order to align with federal agencies and non-U.S. alliances.
CIRCIA was signed into law in March to require “covered entities” to alert CISA of data breaches and ransomware payments so that it can immediately respond, analyze the report and share information to warn other potential targets.
Within the scope of “covered entities,” the council suggested that CISA only include multinational companies’ U.S. subsidiaries, as well as products and services that are considered critical infrastructure. Third-party manufacturers of consumer products should be excluded, according to the recommendations.
“Covered cyber incident” should be limited to severe and significant attacks resulting in actual loss or disruption of U.S.-based networks, ITI said. The definition should concentrate on an incident’s cybersecurity consequences or impacts on frequently used platforms or cross-sector dependencies, the council commented.