ASDWA Submits Comments on Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law in March 2022 and marks a significant milestone in increasing cyber resiliency in critical infrastructure sectors. Between now and September 2025, the Cybersecurity and Infrastructure Security Agency (CISA) will develop standards to require covered entities in critical infrastructure sectors to report cyber incidents and ransomware payments within specified timeframes. This mandatory reporting will “allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”

As these new authorities are regulatory, CISA must complete mandatory rulemaking activities before the reporting requirements go into effect. Back in September, CISA released a Request for Information (RFI) to solicit public input on potential aspects of the proposed regulation, along with a notice of public listening sessions.

ASDWA submitted the attached comments (below) earlier today, emphasizing the need for state and Federal coordination in reporting to ensure regulatory requirements are met, and public health is protected.

ATTACHMENT: ASDWA Response to CISA RFI on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 CIRCIA