WASHINGTON – Today, global tech trade association ITI called on the Cybersecurity and Infrastructure Security Agency (CISA) to make its incident reporting regulation more effective and actionable to safeguard U.S. cybersecurity. ITI responded to CISA’s Notice of Proposed Rulemaking (NPRM) implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) with key recommendations to target the scope of the rule and take a more proactive role in harmonization in the U.S. and globally.

“Given the broad scope of the rule and the amount of information requested, we are concerned that CIRCIA in its current state will inevitably lead to overreporting of minor and potentially out-of-scope incidents. Such myriad reports will risk burying significant cyber trends in irrelevant data, and significantly decrease the benefit of the reporting scheme,” ITI wrote in its comments. “Further, we are concerned about the broad scope of the definitions of substantial cyber incident and covered entity. The definition of covered entity is very broad, and CISA should provide further guidance to provide certainty to companies as to whether or not they are in scope as a ‘covered entity.’”

“We encourage CISA to take a more proactive role in harmonizing incident reporting requirements, particularly through the CIRC, to converge incident reporting, and explore whether a single, national reporting function is feasible,” ITI continued.

ITI’s submission recommends that CISA:

- Take a more assertive role in harmonizing CIRCIA with existing and forthcoming U.S. reporting requirements;

- Target the scope of the rule, including narrowing the scope of “covered entity” and refining the definition of “covered cyber incident;”

- Allow for flexibility around supplemental reporting;

- Consider security implications and potential vulnerabilities associated with sharing and storing reports;

- Tailor information requested in initial reports to reflect that some information may not be available immediately after an incident occurs;

- Uphold liability protections provided in CIRCIA 2022;

- Take steps to foster reciprocity ensuring that CIRCIA provides value to stakeholders.

A longstanding tenet of ITI’s position on incident reporting has been alignment within both domestic and international contexts. In its comments, ITI emphasizes that CISA should examine existing federal, state, local incident reporting landscapes—and also consider international perspectives by collaborating with partners for harmonization where possible.

ITI has been deeply engaged in cybersecurity incident reporting policy development globally, including work done in Australia, Europe, and the United States. As part of this engagement effort, ITI developed two sets of policy principles: Policy Principles for Security Incident Reporting in the U.S., and Global Policy Principles for Cybersecurity Incident Reporting. These documents aim to inform policymakers on best approaches toward mandatory cyber incident reporting policies reflecting ITI's views on thoughtful approaches needed for effective incident reporting.

---