The American Public Power Association is seeking clarification of several aspects of a Cybersecurity and Infrastructure Security Agency notice of proposed rulemaking to implement cyber incident reporting requirements for critical infrastructure entities.
APPA submitted the comments to the agency on July 3.
APPA is seeking clarification of several aspects of the proposed rule, including clarification on the factors in determining whether a cyber incident is reportable, the timeline for making that determination, and CISA’s expectations for the level of detailed information that must be reported in the initial hours following an incident.
APPA emphasized in its comments that CISA should exclude small utilities from the reporting obligation and to ensure that utilities are not subject to duplicative reporting requirements.
APPA also joined comments with several other trade associations for the financial services, telecommunications, and electricity sectors, encouraging CISA to limit the scope and raise the threshold for incident reporting by amending the definition of a substantial cyber incident in the final rule.