CIRCIA Extension Letter 040524 FINAL
Christopher D. Roberti
Senior Vice President for Cyber, Space, and National Security Policy, U.S. Chamber of Commerce
Matthew J. Eggers
Vice President, Cybersecurity Policy Cyber, Intelligence, and Security Division U.S. Chamber of Commerce
Published
April 05, 2024
April 5, 2024
Mr. Todd Klessman
CIRCIA Rulemaking Team Lead
Cybersecurity Infrastructure and Security Agency
circia@cisa.dhs.gov
Re: Request for Extension on Cyber Incident Reporting for Critical Infrastructure Act
Dear Mr. Klessman:
The undersigned organizations, representing diverse sectors of the economy, respectfully request the Cybersecurity Infrastructure and Security Agency (“CISA”) to extend the comment period on the Notice of Proposed Rulemaking (“NPRM”) of the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) by 30 days, making comments due on July 3, 2024.
The proposed rule is extensive and intricate, reflecting the complexities inherent in addressing cybersecurity within critical infrastructure sectors. The NPRM spans nearly 500 pages. Consequently, its length and depth necessitate a comprehensive review process to ensure that all stakeholders fully understand its implications.
Additionally, given the potential impact of this rule, affecting every critical infrastructure sector, and possibly serving as a model and hub for other reporting requirements, extending the deadline for comments as requested above is both prudent and necessary. It will allow organizations to thoroughly evaluate the proposed requirements, identify potential challenges, and propose effective solutions that prioritize both security and operational continuity.
Finally, we acknowledge that this marks CISA’s first time regulating all critical infrastructure sectors through a formal rule. This regulatory action and its accompanying rulemaking process will establish a precedent for the future. Drafting and vetting this NPRM consumed well over a year for CISA to complete. Overall, we believe that extending the comment period by 30 days would promote a more informed rulemaking process, ultimately resulting in stronger rule, a better process for reporting, and a strong public-private partnership.
We appreciate your understanding and consideration of this matter, and we look forward to providing substantive comments to the CIRCIA proposed rule.
Sincerely,
Airlines for America
Alliance for Chemical Distribution
Alliance for Digital Innovation
American Bankers Association
American Chemistry Council
American Foundry Society
American Fuel & Petrochemical Manufacturers
American Petroleum Institute
American Short Line and Regional Railroad Association
Association of American Railroads
Bank Policy Institute
BSA | The Software Alliance
Edison Electric Institute
Federation of American Hospitals
Industrial Fasteners Institute
Information Technology Industry Council
Institute for Security and Technology
Interstate Natural Gas Association of America
National Association of Mutual Insurance Companies
National Electrical Manufacturers Association
National Retail Federation
NTCA–The Rural Broadband Association
Nuclear Energy Institute
Security Industry Association
The Cybersecurity Coalition
The Fertilizer Institute
Utilities Technology Council
U.S. Chamber of Commerce
Cc: Jen Easterly, Director, CISA
Brandon Wales, Executive Director, CISA
Eric Goldstein, Executive Director, CISA
CIRCIA Extension Letter 040524 FINAL
About the authors
Christopher D. Roberti
Christopher D. Roberti is senior vice president for Cyber, Space, and National Security Policy at the U.S. Chamber of Commerce.
Vincent Voci
Vice President for Cyber Policy and Operations in the Cyber, Intelligence, and Supply Chain Security Division at the U.S. Chamber of Commerce
Matthew J. Eggers
Matthew J. Eggers is vice president of cybersecurity policy in the Cyber, Intelligence, and Security division at the U.S. Chamber of Commerce.
