Review - CISA Publishes CIRCIA NPRM Correction

CISA published a correction to their Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) notice of proposed rulemaking in Monday’s (available on line today) Federal Register (89 FR 47471-47472). This correction addresses the issue of the definition of ‘covered entity’ for “for pipeline facilities and systems” as outlined in CISA’s April 4^th, 2024 NPRM.

Monday’s ‘correction’ would change the NPRM entry for §226.2(b)(14)(iv) to read:

“(iv) A pipeline facility or system owner or operator required to report cyber incidents by the Transportation Security Administration;”

With this correction being made to April’s NPRM, the comment period (which was to end on Monday, June 3^rd, 2024) has been extended to July 3^rd, 2024. I would not be surprised to see requests for a further extension of that time. Comments may be submitted through the Federal eRulemaking Portal (www.regulations.gov; Docket # CISA-2022-0010).

 

For more information on this correction, including a look at why CISA had to make the change, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-publishes-circia-nprm-correction - subscription required.

Committee Hearings – Week of 4-29-24

This week, with both the House and Senate back in Washington, there is a moderately heavy hearing schedule in both bodies. Budget hearings continue, moving into the final stages in the respective appropriations subcommittees. There is also a hearing on CISA’s notice of proposed rulemaking for the implementation of the cybersecurity reporting requirements of Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

FY 2025 Budget Hearings

	House	Senate
EPA	Approp Subcommittee	Approp Subcommittee
DOT	Approp Subcommittee	Approp Subcommittee
CISA	Approp Subcommittee
Coast Guard	Approp Subcommittee

CIRCIA Hearing

On Wednesday, the Subcommittee on Cybersecurity and Infrastructure Protection of the House Homeland Security Committee will hold a hearing on “Surveying CIRCIA: Sector Perspectives On The Notice Of Proposed Rulemaking”. The witness list includes:

• Heather Hogsett, Bank Policy Institute,

• Scott Aaronson, Edison Electric Institute,

• Robert Mayer, The Broadband Association, and

• Amit Elazari, OpenPolicy Group

Review - CIRCIA NPRM – Cyber Incident Definitions

Earlier this month, CISA published the official version of their Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (Division Y, PL 117-103) notice of proposed rulemaking (NPRM). This is part of a continuing series of posts looking at the proposed rulemaking. In this post I will be looking at how CISA is proposing to deal with the problem of implementing the CIRCIA mandated definitions relating to cyber incidents as it applies to these reporting requirements.

Previous posts in this series include:

CISA Publishes CIRCIA Support NPRM (non-subscription version), and

CIRCIA NPRM – Covered Entity (non-subscription version)

Statutory Definitions

CIRCIA provides legal definitions (6 USC 681)  for the following cyber incident related terms:

• Cyber incident, 

• Significant cyber incident, and

• Ransom payment

NPRM Definitions

The NPRM includes in the new Part 226, a section (§226.1) dealing with definitions used in the proposed regulation. Terms of importance leading to the definition of the term ‘covered incident’ include:

• Information system,

• Cyber incident, and

• Substantial cyber incident

This leads to the rather simple definition of the term ‘covered cyber incident’ as any substantial cyber incident experienced by a covered entity.

 

For a more detailed look at these definitions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/circia-nprm-8dd - subscription required.

Review - CIRCIA NPRM – Covered Entity

Last week, CISA published the official version of their Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (Division Y, PL 117-103) notice of proposed rulemaking (NPRM). This is part of a continuing series of posts looking at the proposed rulemaking. In this post I will be looking at how CISA is proposing to deal with the problem of implementing the CIRCIA mandated definition of the term ‘covered entity’ as it applies to these reporting requirements.

Covered Entity Definition

CIRCIA (codified at 6 USC 681-681g) defines the term ‘covered entity’ {§681(5)}: “The term ‘covered entity’ means  an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21 [link added], that satisfies the definition established by the Director in the final rule issued pursuant to section 2242(b) (§681b).” Congress had to use this broad reliance on CISA’s judgement to define the term because it has never been able to come up with a useable definition what constitutes a critical infrastructure entity.

In this NPRM, CISA defined the term ‘covered entity’ (§226.1) this way: “Covered entity means an entity that meets the criteria set forth in § 226.2 of this part.” In turn, §226.2, Applicability, provides a two-part requirement. First, the entity must be larger than the ‘small business size standard’ set forth in 13 CFR part 121. Second, the entity must meet “one or more of the sector-based criteria provided below, regardless of the specific critical infrastructure sector of which the entity considers itself to be part”. Then §226.2 goes on to list those ‘sector-based criteria’:

Owns or operates a covered chemical facility,

Provides wire or radio communications service,

Owns or operates critical manufacturing sector infrastructure,

Provides operationally critical support to the Department of Defense or processes, stores, or transmits covered defense information,

Performs an emergency service or function,

Bulk electric and distribution system entities,

Owns or operates financial services sector infrastructure,

Qualifies as a State, local, Tribal, or territorial government entity,

Qualifies as an education facility,

Involved with information and communications technology to support elections processes,

Provides essential public health-related services,

Information technology entities,

Owns or operates a commercial nuclear power reactor or fuel cycle Facility,

Transportation system entities,

Subject to regulation under the Maritime Transportation Security Act, or

Owns or operates a qualifying community water system or publicly owned treatment works.

Each of the links above takes you to a paragraph under §226.2(b) that provides a brief description of what types of facilities (frequently with reference to a controlling regulatory structure) under that general description would be classified as a ‘covered entity’. There are a lengthier discussions in the preamble that provide additional information on how CISA reached each of these definitions. Those discussions, from an enforcement perspective, will be very important for courts deciding whether a facility should be covered by this regulation.

 

For a more detailed look at how this definition specifically applies to chemical facilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/circia-nprm - subscription required.

CFATS and CIRCIA NPRM

While the Chemical Facility Anti-Terrorism Standards (CFATS) program was terminated by Senate inaction last summer, the Cybersecurity and Infrastructure Security Agency (CISA) has faith that Congress will be reauthorizing the program. This is reflected in today’s publication of the “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements” notice of proposed rulemaking. The CFATS program is a fundamental part of the implementation of the CIRCIA reporting rule.

CISA is proposing as part of their definition of the term ‘covered entity’ relies on sector based criteria found in their proposed §226.2(b). The first such criteria, listed in paragraph (1) is:

“(1) Owns or operates a covered chemical facility. The entity owns or operates a covered chemical facility subject to the Chemical Facility Anti-Terrorism Standards pursuant to 6 CFR part 27;”

In the preamble discussion for this sector based definition CISA acknowledges in footnote 207 that there is a possibility that the CFATS program might not be reauthorized in time for the publication of the final rule, noting that:

“CISA is aware that, at the time of publication of this NPRM, Congress has allowed statutory authority for the CFATS program to expire. CISA believes that by the time the CIRCIA final rule is issued, CFATS will be reauthorized by Congress. Should CFATS not be reauthorized by the time the CIRCIA final rule is ready for publication, CISA proposes to replace [link added] the proposed CFATS-based Chemical Sector criterion in this NPRM with an alternate Chemical Sector criterion focused on owners and operators of facilities regulated by the Environmental Protection Agency (EPA) under its Risk Management Program (RMP) regulations.”

I will be covering this issue in more depth when I discuss the ‘covered entity’ portion of the NPRM in future blog posts.

Reader Question – CIRCIA Comments

Yesterday, a long-time reader asked me if I would be posting about CISA’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) notice of proposed rulemaking (NPRM). The question was asked because the Federal Register had ‘published’ the NPRM the day before on their ‘Public Inspection’ page. While normally this page lists the next day’s Federal Register publications, documents published in the ‘Special Filing’ section are published further in advance. In this case the CIRCIA NPRM will be officially published in the Federal Register on April 4^th, 2024

I replied to the question: “I am planning to discuss it on April 4th when it is published in the Federal Register because of the link capabilities.” I thought a little more detail might be appreciated.

First off, the early publication on the Public Inspection page does not contain the same information as provided in the Federal Register publication. Regulatory dates are typically calculated from the date of the FR publication and are noted in the PI documents as, for example, “[INSERT DATE 60 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]”. Additionally, some included tables may not be complete in the PI publication. Finally, there are provisions for agencies to make post PI publication changes before the official publication of the documents.

My personal reason, though, for not typically using the PI version for my blog comments is that there are no provisions in the PI version for links to paragraphs within the document. That is very important in a 417 page document like the CIRCIA NPRM. I really do like providing my readers with direct access to the regulatory language so they can see for themselves whether they agree with my interpretation of what is being said. I can do that with the FR version of the document, I cannot with the PI version.

There are also mechanical (as in writing mechanics) reasons for waiting for the Federal Register version of the NPRM to be published. There are tools available on the Federal Register Documents pages that make it easier to navigate lengthy documents and find supporting information (actual proposed regulatory code, for instance) that makes it less time consuming to prepare my analyses of regulations.

So, yes this is an important rulemaking, and an unofficial 417-page version is available for public perusal. I just do not intend to write an analysis of the NPRM based on that document. I will wait for the April 4^th publication of the official version. By the way, the 60-day comment clock starts from that publication.

BTW: That reader also commented that they did not always see my advertorial posts on LinkedIn. I reminded the reader that my Substack newsletter includes an almost daily post citing my recent publications here and other places and that post is available to free subscribers. So if you want to keep up with what I am writing go to CFSN Detailed Analysis and sign up today. You can also follow me on LinkedIn, Mastodon, and TWITTER.com.