AGA Files Comments on Department of Homeland Security Cyber Incident Reporting Proposed Rule
WASHINGTON – The American Gas Association (AGA), in collaboration with other energy trade associations, has submitted comments in response to the Proposed Rule related to the implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) reporting requirements released by the Cybersecurity and Infrastructure Security Agency (CISA) on April 4, 2024. These comments commend CISA for its focus on cybersecurity incidents that ‘actually jeopardize’ systems and provide recommendations to refine the reporting requirements.
“We recognize the criticality of our infrastructure and that it is an attractive target for bad actors,” said AGA VP, Security and Operations Kimberly Denbow. “The preliminary hours of a confirmed cyber incident that actually jeopardizes our critical systems is crucial. Our comments focus on ensuring the reporting requirements meet the needs of the federal government but do not hinder our mitigation and response efforts.”
To maximize the utility of the CIRCIA program, the comments recommend that CISA:
- Focus solely on incidents that pose a real threat to operations and provide a clearer definition of what constitutes a substantial cyber incident.
- Reduce the quantity and refine the type of information required to be reported within the first 72 hours of an incident, focusing on:
- The impact and severity of the incident to assess threat level and risk.
- The estimated timeline of the incident, including the suspected start time of the attack.
- Indicators of compromise observed on the affected system
- Reevaluate the responsibilities for incident reporting along the supply chain to ensure clarity and effectiveness.
- Decrease and better define the kinds of information entities must retain, minimizing unnecessary burdens.
- Minimize duplicative reporting requirements to streamline the reporting process.
- Guarantee the security of information throughout the CIRCIA reporting process to protect sensitive data.
Adopting these recommendations would enhance the effectiveness of the CIRCIA program and help ensure the program addresses high risk cybersecurity threats without imposing unnecessary burdens on critical infrastructure entities. AGA looks forward to continued collaboration with CISA on this issue. AGA’s full comments can be accessed here.