Last week, CISA published the official version of their Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (Division Y, PL 117-103) notice of proposed rulemaking (NPRM). This is part of a continuing series of posts looking at the proposed rulemaking. In this post I will be looking at how CISA is proposing to deal with the problem of implementing the CIRCIA mandated definition of the term ‘covered entity’ as it applies to these reporting requirements.
Covered Entity Definition
CIRCIA (codified at 6 USC 681-681g) defines the term ‘covered entity’ {§681(5)}: “The term ‘covered entity’ means an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21 [link added], that satisfies the definition established by the Director in the final rule issued pursuant to section 2242(b) (§681b).” Congress had to use this broad reliance on CISA’s judgement to define the term because it has never been able to come up with a useable definition what constitutes a critical infrastructure entity.
In this NPRM, CISA defined the term ‘covered entity’ (§226.1) this way: “Covered entity means an entity that meets the criteria set forth in § 226.2 of this part.” In turn, §226.2, Applicability, provides a two-part requirement. First, the entity must be larger than the ‘small business size standard’ set forth in 13 CFR part 121. Second, the entity must meet “one or more of the sector-based criteria provided below, regardless of the specific critical infrastructure sector of which the entity considers itself to be part”. Then §226.2 goes on to list those ‘sector-based criteria’:
Owns or operates
a covered chemical facility,
Provides wire or
radio communications service,
Owns or operates
critical manufacturing sector infrastructure,
Provides
operationally critical support to the Department of Defense or processes,
stores, or transmits covered defense information,
Performs an
emergency service or function,
Bulk electric
and distribution system entities,
Owns
or operates financial services sector infrastructure,
Qualifies as a
State, local, Tribal, or territorial government entity,
Qualifies as an
education facility,
Involved with
information and communications technology to support elections processes,
Provides
essential public health-related services,
Information technology entities,
Owns or operates
a commercial nuclear power reactor or fuel cycle Facility,
Transportation
system entities,
Subject to
regulation under the Maritime Transportation Security Act, or
Owns or operates a qualifying community water system or publicly owned treatment works.
Each of the links above takes you to a paragraph under §226.2(b)
that provides a brief description of what types of facilities (frequently with
reference to a controlling regulatory structure) under that general description
would be classified as a ‘covered entity’. There are a lengthier discussions in
the preamble that provide additional information on how CISA reached each of these
definitions. Those discussions, from an enforcement perspective, will be very
important for courts deciding whether a facility should be covered by this
regulation.
For a more detailed look at how this definition specifically
applies to chemical facilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/circia-nprm
- subscription required.
Posts
No comments:
Post a Comment