CISA’s incident reporting requirements go too far, trade groups and lawmakers say | CyberScoop<\/title> <meta name=\"description\" content=\"The draft cyber incident reporting rule faced significant pushback during a House hearing Wednesday, with industry groups arguing for a narrower reporting requirement.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-cyber-incident-reporting-hearing\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA's incident reporting requirements go too far, trade groups and lawmakers say\"> <meta property=\"og:description\" content=\"The draft cyber incident reporting rule faced significant pushback during a House hearing Wednesday, with industry groups arguing for a narrower reporting requirement.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-cyber-incident-reporting-hearing\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-05-01T22:23:56+00:00\"> <meta property=\"article:modified_time\" content=\"2024-05-01T22:23:57+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1190\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1712700738g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1713212360g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1712858261g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80320\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80320\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-cyber-incident-reporting-hearing%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-cyber-incident-reporting-hearing%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80320 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-cyber-incident-reporting-hearing\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.149746192893\">\n<div class=\"single-article__header-content\" readability=\"30.88813559322\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/government\/\"> <span>Government<\/span> <\/a> <\/li>\n<\/ul>\n<p> The draft cyber incident reporting rule faced significant pushback during a House hearing Wednesday, with industry groups arguing for a narrower reporting requirement. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"397\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say.jpg?resize=640%2C397&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Congress, lawmakers, U.S. Capitol Building, incident reporting, CISA\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-2.jpg?resize=300,186 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-2.jpg?resize=768,476 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-2.jpg?resize=1024,635 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-2.jpg?resize=1536,952 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-2.jpg?resize=600,372 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-2.jpg?resize=271,168 271w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-2.jpg?resize=544,337 544w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-2.jpg?resize=1089,675 1089w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-2.jpg?resize=1360,843 1360w\" sizes=\"(max-width: 1089px) 100vw, 1089px\"><figcaption> The U.S. Capitol is seen in Washington, D.C., on Jan. 22, 2018. (MANDEL NGAN\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"33.060642092747\"><body readability=\"68.578961244398\"><\/p>\n<p>A draft rule for cyber incident reporting asks far too much of critical infrastructure entities and of the agency tasked with carrying out the law, trade groups representing the electric, telecommunications and finance sectors said during a House hearing Wednesday.<\/p>\n<p>The cyber incident reporting mandate is one of the Cybersecurity and Infrastructure Security Agency\u2019s biggest forays into a regulatory role \u2014 and it is proving to be a thorny one. The 447-page draft rule, <a href=\"https:\/\/cyberscoop.com\/cisa-cyber-incident-reporting-critical-infrastructure\/\">released in March<\/a>, would require select critical infrastructure companies to report significant cyber incidents within 72 hours and any ransomware payments within 24 hours. The rule was established largely for the government to better understand the cyber landscape after multiple major cyberattacks \u2014 such as the <a href=\"https:\/\/cyberscoop.com\/tag\/solarwinds\/\">SolarWinds espionage campaign<\/a> \u2014 highlighted the fact that many attacks go unnoticed.<\/p>\n<p>Witnesses before the House Homeland Security\u2019s cybersecurity subcommittee were largely in agreement that the rule is an important step for broader cyber awareness but also too broad, increasing the likelihood of CISA becoming overwhelmed by reports. Meanwhile, front-line defenders \u2014 particularly smaller organizations \u2014 could be hampered by trying to both file reports and deal with an attack. CISA will not be able to keep up with the amount of data due to the broad definition of cyber incidents and who should report, the witnesses argued.<\/p>\n<p>While it\u2019s <a href=\"https:\/\/cyberscoop.com\/cisa-circia-cyber-incident-reporting\/\">no surprise<\/a> that industry wants to shave off aspects of the regulatory requirement, that could mean the final version of the rule will be significantly pared down from the draft. Another aspect brought up by the witnesses is that there must be a greater focus on harmonizing other reporting requirements with the new mandate.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Lawmakers seemed to agree. Rep. Eric Swalwell, D-Calif., noted during his opening statement that \u201cwe have to make sure that we don\u2019t wrap up non-relevant small and medium-sized businesses in reporting requirements that can both be cumbersome and expensive to businesses and provide worthless data to CISA.\u201d<\/p>\n<p>Rep. Yvette Clarke, the former chair of the subcommittee who sponsored the bill, also thought that CISA\u2019s rule went too far. Citing testimony from 2021, the New York Democrat said that lawmakers did not intend to \u201csubject everyone and every incident with reporting.\u201d<\/p>\n<p>As CISA\u2019s definitions on what constitutes a significant cyber incident and what information should be provided were picked apart, the agency itself came under fire from witnesses who questioned its subject matter expertise as well as its ability to keep the information safe from hackers. The volume of reports will be so large that it will overwhelm the agency\u2019s ability to parse all the information and send out actionable intelligence to defenders, witnesses said.<\/p>\n<p>\u201cCISA currently has challenges with having specific subject matter expertise to get through the noise,\u201d said Heather Hogsett, the senior vice president of technology and risk strategy for the Bank Policy Institute.<\/p>\n<p>CISA\u2019s own <a href=\"https:\/\/therecord.media\/cisa-takes-two-systems-offline-following-ivanti-compromise\">cybersecurity breach<\/a> serves as an example of the difficulty the agency might have in keeping sensitive data secure, said Scott Aaronson, senior vice president of security and preparedness at the Edison Electric Institute, an electric trade group that represents investor-owned utilities, which are for-profit electric utilities.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Additionally, CISA faces a sensitive balance in requiring a mandate from the same organizations that the agency needs to work with on a volunteer basis. Responding to a question about the electric sector\u2019s relationship with the Department of Energy, Aaronson said that part of the reason the electric sectors work so well with DOE is because the agency \u201cis not regulatory.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.2408759124088\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-cyber-incident-reporting-hearing\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA’s incident reporting requirements go too far, trade groups and<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1794,452,293,1981,1982,117,962,439,29],"tags":[1795,454,299,1983,1984,119,963,443,37],"class_list":["post-3363","post","type-post","status-publish","format-standard","hentry","category-circia","category-cybersecurity-and-infrastructure-security-agency-cisa","category-department-of-homeland-security-dhs","category-electric-sector","category-finance","category-government","category-incident-reporting","category-policy","category-telecommunications","tag-circia","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-department-of-homeland-security-dhs","tag-electric-sector","tag-finance","tag-government","tag-incident-reporting","tag-policy","tag-telecommunications"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/circia\/\" rel=\"category tag\">CIRCIA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-homeland-security-dhs\/\" rel=\"category tag\">Department of Homeland Security (DHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/electric-sector\/\" rel=\"category tag\">electric sector<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/finance\/\" rel=\"category tag\">finance<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/incident-reporting\/\" rel=\"category tag\">incident reporting<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/policy\/\" rel=\"category tag\">Policy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/telecommunications\/\" rel=\"category tag\">Telecommunications<\/a>","tag_info":"Telecommunications","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3363"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3363\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3363"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":3363,"date":"2024-05-01T17:23:56","date_gmt":"2024-05-01T22:23:56","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80320"},"modified":"2024-05-01T17:23:56","modified_gmt":"2024-05-01T22:23:56","slug":"cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/01\/cisas-incident-reporting-requirements-go-too-far-trade-groups-and-lawmakers-say\/","title":{"rendered":"CISA\u2019s incident reporting requirements go too far, trade groups and lawmakers say"},"content":{"rendered":"