Reader Question – CIRCIA Comments

Yesterday, a long-time reader asked me if I would be posting about CISA’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) notice of proposed rulemaking (NPRM). The question was asked because the Federal Register had ‘published’ the NPRM the day before on their ‘Public Inspection’ page. While normally this page lists the next day’s Federal Register publications, documents published in the ‘Special Filing’ section are published further in advance. In this case the CIRCIA NPRM will be officially published in the Federal Register on April 4^th, 2024

I replied to the question: “I am planning to discuss it on April 4th when it is published in the Federal Register because of the link capabilities.” I thought a little more detail might be appreciated.

First off, the early publication on the Public Inspection page does not contain the same information as provided in the Federal Register publication. Regulatory dates are typically calculated from the date of the FR publication and are noted in the PI documents as, for example, “[INSERT DATE 60 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]”. Additionally, some included tables may not be complete in the PI publication. Finally, there are provisions for agencies to make post PI publication changes before the official publication of the documents.

My personal reason, though, for not typically using the PI version for my blog comments is that there are no provisions in the PI version for links to paragraphs within the document. That is very important in a 417 page document like the CIRCIA NPRM. I really do like providing my readers with direct access to the regulatory language so they can see for themselves whether they agree with my interpretation of what is being said. I can do that with the FR version of the document, I cannot with the PI version.

There are also mechanical (as in writing mechanics) reasons for waiting for the Federal Register version of the NPRM to be published. There are tools available on the Federal Register Documents pages that make it easier to navigate lengthy documents and find supporting information (actual proposed regulatory code, for instance) that makes it less time consuming to prepare my analyses of regulations.

So, yes this is an important rulemaking, and an unofficial 417-page version is available for public perusal. I just do not intend to write an analysis of the NPRM based on that document. I will wait for the April 4^th publication of the official version. By the way, the 60-day comment clock starts from that publication.

BTW: That reader also commented that they did not always see my advertorial posts on LinkedIn. I reminded the reader that my Substack newsletter includes an almost daily post citing my recent publications here and other places and that post is available to free subscribers. So if you want to keep up with what I am writing go to CFSN Detailed Analysis and sign up today. You can also follow me on LinkedIn, Mastodon, and TWITTER.com.