Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

CIRCIA pushes CISA from partner to regulator in cybersecurity

(McCrary Institute)

By Don Kauffman

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is reshaping the government’s relationship with private-sector victims of cyberattacks, pushing the Cybersecurity and Infrastructure Security Agency toward a more traditional regulatory posture after years of emphasizing voluntary collaboration.

“CIRCIA was passed in 2022,” Inside Cybersecurity managing editor Sara Friedman said, tracing the law’s origins to the fallout from the Colonial Pipeline disruption. “What CIRCIA does is it establishes a mandatory regime for cyber incident reporting. And it gave CISA new regulatory authorities to be able to accomplish this.”

For CISA, the change is more than procedural. On a recent Cyber Focus podcast, Friedman said the agency’s brand with industry has long been built around partnership – sharing information, coordinating responses and persuading companies to engage without mandates. “CISA was supposed to have voluntary partnerships and that was one of the hallmarks of getting industry to engage with them and this idea of joint operational collaboration and bidirectional information sharing,” she said. “And with this new role, CISA is moving into more of a regulator role.”

That tension is now concentrated in CISA’s notice of proposed rulemaking, which would determine who qualifies as a covered entity, what qualifies as a reportable incident, and how fast reporting must occur. “This rulemaking, when it was put out, it’s over 400 pages. There’s a lot in there,” Friedman said. She added that industry reaction has focused on scope: “There was a lot of concerns that CISA had gone overbroad in terms of who would be covered, covered entities, and what incidents they would have to be reporting.”

Timing requirements are a second flashpoint. CIRCIA’s 72-hour reporting clock collides with the early-stage reality of incident response, when basic facts can still be unclear. “Because it’s really hard to actually know that within 72 hours what it is,” Friedman said. “And CISA is also allowing to have supplemental incident reporting after the first 72 hours.”

The stakes, Friedman suggested, are not limited to compliance costs. If the final rule is seen as unworkable or misaligned with congressional intent, it could trigger political blowback – and, more quietly, strain the trust CISA depends on for day-to-day operational cooperation. “House Homeland Security Chairman Andrew Garbarino threatened to, if the rulemaking does not meet congressional intent and what he was expecting, to introduce a Congressional Review Act resolution to potentially roll this back,” she said.

Even if the policy debate narrows, questions remain about whether CISA has the capacity to deliver a complex rulemaking while sustaining its operational mission. “They’ve shed about a third of their workforce under the second Trump administration,” Friedman said. “One of the questions is, does CISA have the capacity that they need for this rulemaking and to do it effectively?”

For more on this and other important cyber topics, check out the full catalog of Cyber Focus podcasts: https://mccraryinstitute.com/podcast/

Click to listen highlighted text!