Powering Strong Communities
Security and Resilience (Cyber and Physical)

Groups Seek More Time to Submit Comments on Cyber Incident Reporting Proposal

The American Public Power Association, the National Rural Electric Cooperative Association, and the Edison Electric Institute on April 8 asked the Cybersecurity and Infrastructure Security Agency to extend by 30 days the comment period on a proposed rule that would require some critical infrastructure operators to report covered cybersecurity incidents and ransomware payments to CISA.

The Notice of Proposed Rulemaking of the Cyber Incident Reporting for Critical Infrastructure Act was issued on April 4.

“CISA provided stakeholders only 60 days, or until June 3, 2024, to comment on a complex proposal that spans over 450 pages in length,” the groups told CISA.

“To sufficiently analyze the proposal, determine the potential impacts to the energy sector, and ensure harmonization between existing and other developing federal reporting requirements, additional time to comment is necessary,” APPA, NRECA, and EEI said.

“The additional time will allow for more thorough review and meaningful comment from the electric sector as we continue to strive to develop policy actions and strategies that help protect the North American energy grid and prevent a spectrum of threats from disrupting electricity service,” the groups told CISA.