The Cybersecurity and Infrastructure Security Agency (CISA) will hold a series of virtual town hall meetings to gather stakeholder input on the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA( of 2022 rulemaking.
The meeting, scheduled to begin March 9, are in response to numerous requests for more opportunities for the public to engage in the rulemaking process. The meeting will help the agency to solicit input on the Notice of Proposed Rulemaking (NPRM), and to provide CISA with access to a broad range of entities within the critical infrastructure sectors.
“Implementing CIRCIA will significantly enhance our ability to assist victims of cyber incidents, identify emerging threats, and rapidly share actionable information to protect others,” CISA Executive Assistant Director for Cybersecurity Nick Andersen. “Stakeholder input is critical as we finalize this rule to strengthen our collective defense. CISA is committed to delivering a framework that appropriately balances its impact on improving our nation’s cybersecurity posture with avoiding unnecessary burden to entities in critical infrastructure sectors.”
CIRCIA was passed in 2022 and was designed to help the government respond quickly to cyber threats and share information to protect critical infrastructure. One the final rule is implemented, covered organizations will be required to report certain cyber incidents to CISA within 72 hours, and to report ransom payments within 24 hours.
In April 2024, CISA announced the NPRM and hosted in-person public listening sessions across the country, as well as conducted virtual sector-specific session and engaged with federal partners including Sector Risk Management Agencies (SRMAs) to gather feedback. The NPRM comment period was for 90 days. CISA believes more stakeholder engagement will be critical to developing a rule that balances costs and benefits.