Regulatory Submissions

Back to Library

APGA replies to CIRCIA NPRM (July 3 2024) 

9 days ago

This month, APGA joined other industry trade groups in filing comments on the Cybersecurity and Infrastructure Security Agency’s (CISA) recent notice of proposed rulemaking (NPRM) titled the Cyber Incident Reporting for Critical Infrastructure Act Reporting Requirements (CIRCIA). The rulemaking would require covered utilities that meet specific criticality criteria to report cyber incidents to CISA within 72 hours after they experience a covered incident. Most APGA member systems will not be considered covered entities under this current framework, as they do not meet certain size thresholds. However, engaging in these opportunities to comment on new reporting requirements ensures that public gas utilities' unique and diverse perspectives are included in the conversation, especially as regulators decide whether or not to expand the requirements in the future. 
 
Public gas systems are committed to working with the federal government to implement effective cybersecurity incident reporting mechanisms that are practical for operators and provide government stakeholders with the appropriate information.
 
APGA submitted feedback on this process via CISA’s request for information (RFI) on the forthcoming regulation in 2022. APGA and other trade associations were pleased to see that the agency incorporated some of the feedback that industry offered back in 2022 in this most recent NPRM. Still, in this version, industry has identified several opportunities for CISA to improve the rulemaking by eliminating unnecessary, burdensome elements and ensuring adequate harmonization with other reporting requirements. A few key points in our comments are: 
  • CISA should ensure that there is appropriate consideration given to the available resources of covered entities if ever the requirements are expanded. 
  • CISA should reduce the amount of information required to be submitted in the first 72 hours to only the most pertinent information.
  • CISA should reduce the amount of sensitive information it retains to minimize the potential consequences of a data breach. 
 

Statistics
0 Favorited
3 Views
1 Files
0 Shares
1 Downloads
Attachment(s)
pdf file
CIRCIA NPRM Comments - AGA INGAA API APGA (1).pdf   335 KB   1 version
Uploaded - 07-18-2024
 
Download

Related Entries and Links

No Related Resource entered.