Requirements proposed earlier this year by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency are overly broad and would be burdensome to manufacturers if adopted, according to the National Association of Manufacturers.
CISA has published draft rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act, which are scheduled to go into effect next year, that would require “covered entities” in critical infrastructure sectors to report major cyber incidents to CISA within 72 hours. It also requires any ransomware payments to be reported within 24 hours.
The proposed rulemaking could affect more than 300,000 entities, according to CISA’s own estimate. Many of these organizations are either not truly “critical infrastructure” or too small to have the resources to undertake the outlined actions in the specified time, NAM said in a letter submitted to CISA on July 2.
The letter notes that because the proposed rules rely on the North American Industry Classification System (NAICS) codes, they unnecessarily include all companies engaged in the manufacturing of every type of product within broad NAICS subsectors. The disruption or interruption of the manufacture of such products, including garden equipment and kitchen cookware for example, does not pose a threat to national security, the letter said.
“At a minimum, we recommend that CISA drill down much more granularly — below 6-digit NAICS codes — to only cover the manufacturing of specific product categories that are genuinely critical to our national security, national economic security, or national public health or safety,” the NAM letter to CISA said.
Besides mandating the reporting of incidents that do not even affect the operation of critical infrastructure, they also require a massive amount of information in a short time from companies that are in the throes of recovering from a cyberattack.
“NAM respectfully encourages the agency to drastically reduce the number of entities required to report, and the number of incidents they have to report,” NAM Vice President of Domestic Policy Charles Crain told the agency. “Doing so will ensure that CISA receives useful information about cybersecurity incidents — without overburdening manufacturers with overbroad and unworkable disclosure requirements.”