New cyber incident reporting obligations may be “burdensome and duplicative,” the Association of American Railroads (AAR) and American Short Line and Regional Railroad Association (ASLRRA) wrote in their July 3 comments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which has released a Notice of Proposed Rulemaking (NPRM) concerning Cyber Incident Reporting for Critical Infrastructure Act reporting.
According to ASLRRA, the Cyber Incident Reporting for Critical Infrastructure Act requires CISA to make rules mandating that “covered entities report certain cyber incidents, ransom payments made in response to a ransomware attack, and other information to the agency within certain timeframes.”
The Act directed CISA “to define several critical elements of new regulations, including which organizations will be ‘covered entities’ that must report cyber incidents, what types of cyber incidents must be reported, and the scope of proposed retention requirements,” the association explained in their comments on the CISA NPRM (download below). “However, the proposed rule takes an expansive approach to each of these proposed definitions, and, as such, the definitions should be refined and narrowed. In addition, CISA should reduce the scope of proposed retention requirements and undertake efforts to promote harmonization with other reporting requirements from other agencies.”
AAR and ASLRRA pointed out that the rail sector “has been operating under various and changing security directives” issued by the Department of Homeland Security’s Transportation Security Administration (TSA) “under asserted emergency authority since 2021.” These directives include “mandatory cyber incident reporting with a 24-hour deadline.” The associations said that the ”rail industry’s experience with the security directives and TSA reporting should inform CISA’s consideration of new reporting obligations that may be burdensome and duplicative of those required by other agencies. CISA should work to reduce burdens and advance alignment and harmonization of reporting obligations, in a transparent manner that considers burdens and benefits.”
The associations provided CISA with the following five recommendations:
1. “The proposed definition of ‘covered entities’ is overly broad and exceeds the intent of Congress, and it should be revised accordingly.” According to AAR and ASLRRA, “CISA proposes applying the definition to any entity in the Transportation Sector that exceeds a small business threshold. Further, for those entities not meeting this threshold, CISA would apply sector-based criteria.” For the freight rail industry, “this would include any freight railroad carrier identified in 49 CFR 1580.1(a)(1), (4), or (5), as well as any entity already required by TSA to report cyber incidents,” the associations said. “Until now, TSA has only required freight railroads that fall under 49 CFR 1580.101, and a select number of other carriers they identified—approximately 70 covered entities—to comply with the series of rail cybersecurity directives issued by TSA since 2021.” The proposed rule, the noted, “would drastically increase that scope to include all freight railroads, including all of the more than 600 Class II and III railroads, the majority of which TSA has not seen cause to regulate and would otherwise not be large enough to exceed the proposed small business threshold.” Additionally, CISA has proposed that a covered entity constitutes “‘the entire entity’ and is not limited to the ‘individual facilities or functions,’” according to the associations, which explained that “if one part of an entity’s operations is deemed to be in critical infrastructure, the entire entity will be subject to CISA’s cyber incident reporting requirements.” As a result, under the proposed rule, “entities already reporting to CISA under the TSA security directives would also be required to report to CISA under this regulation but on a far broader scope.” Having two requirements to report to “the exact same agency makes little sense and only creates opportunities for confusion, especially given the distinct reporting requirements in the different mandates,” AAR and ASLRRA pointed out. At a minimum, they said, “CISA should limit its definition of covered entities in the rail sector to those currently required to report incidents under the existing TSA security directives, similar to CISA’s approach to the pipeline sector.” Also, CISA should limit reporting requirements “to those business functions that are engaged in critical infrastructure.” Such adjustments “would reduce the number of reports that CISA is likely to receive and, in turn, make it more likely that CISA can evaluate and share timely and valuable information from the mandatory reports,” according to AAR and ASLRRA.
2. “The definition of ‘substantial’ cyber incidents is vague and may be read too broadly; CISA should limit the scope of the definition.” The associations said that the proposed definition of substantial cyber incidents “should be narrowed by adding language to the ‘unauthorized access’ prong to require a ‘demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety.’” They pointed out that the “potential for confusion is exacerbated by vague and overinclusive language.” They also said the proposed rule would be “improved by revisions to the third party-data provider and supply chain prong of its definition of ‘substantial’ to also include a significant threshold.” Third-party incidents, the associations noted, “present their own challenges for covered entities because it can take time to obtain details from third parties that are having an incident, and there may be contractual or confidentiality issues related to the sharing of information.” Covered entities may rely on third parties for various services, technology, and functions, according to the associations.
3. Information required to be reported in Cyber Incident Reporting for Critical Infrastructure Act reports “is excessively broad, as is the supplementation obligation.” According to AAR and ASLRRA, the rail sector has been operating under security directives that require cyber incidents reporting. Based on their members’ experience, “reporting under the Security Directives already imposes substantial burdens on operators,” the associations said. “It is often difficult to obtain and confirm the mandated information within the short 24-hour period required under the security directives, and to develop answers to the many questions on the CISA form. Completing the form takes valuable time from companies’ security operators and their legal teams. The questions on that form differ substantially from the information proposed to be reported” under the NPRM. The information that CISA proposes to require would “impose substantially more burdens on operators’ security and legal teams to gather, package, review, and verify required information,” and the “NPRM’s supplementation requirement will compound these challenges because the trigger for required supplementation is not clear and it may entail updating all the information previously reported. …” The associations noted that “despite making incident reports to the government under the Security Directives,” AAR members “rarely if ever receive actionable information or responses”; CISA should “consider carefully the effectiveness, utility, and substantial burden of the current reporting mandate as it considers how to implement” the Cyber Incident Reporting for Critical Infrastructure Act.
4. “CISA should reduce the scope of proposed retention requirements.” According to AAR and ASLRRA, the proposed rule would require covered entities to preserve “numerous types, and large volumes, of information related to a covered incident.” This includes: “communications with any threat actor (e.g., copies of actual correspondence), indicators of compromise, log entries (e.g., DNS, firewall, packet capture, endpoint, or Active Directory), ‘relevant forensic artifacts’ such as forensic images or preserved hosts, network data, data and information ‘that may help identify’ how a threat actor compromised a system, system information to identify exploited vulnerabilities (e.g., operating systems, version numbers, patch levels, and configuration settings), information about any exfiltrated data, data or records related to paying a ransom, and any forensic or other reports about an incident (such as those created by a cybersecurity services vendor).” All that data, they said, would have to be preserved and “readily accessible and retrievable” for two years—a period that could be “extended upon the discovery of ‘substantial new or different information.’” Such “voluminous” information would “impose significant costs to store and retain,” according to the associations. “CISA should limit the retention requirement to records sufficient to assess whether a covered entity appropriately determined that an incident was ‘covered,’” they said. “And it should do this while also limiting the scope of covered incidents, to limit unnecessary retention of data of dubious relevance and importance.”
5. “CISA should interpret the ‘substantially similar’ requirement more broadly to promote harmonization and eliminate duplicative reporting.” The associations wrote that under the TSA Security Directive, “freight rail carriers’ incident reporting obligations are required for incidents involving ‘the freight railroad carrier’s Information or Operational Technology systems or other aspect of the Owner/Operator’s rail systems or facilities the Owner/Operator has responsibility to operate and/or maintain.’” However, the scope of the proposed Cyber Incident Reporting for Critical Infrastructure Act “rules would apply to far more than a freight railroad’s rail systems or facilities by extending the obligation to non-critical infrastructure assets and information.” Such a “broad scope,” AAR and ASLRRA said, “may prevent harmonization between the CIRCIA [Cyber Incident Reporting for Critical Infrastructure Act] rules and the TSA Security Directive on incident reporting, if the government deems the type of incidents covered to be too different, or the reportable information is not seen as substantially similar.” They pointed out that the TSA Security Directive “already requires freight railroads to report cyber incidents to CISA using the CISA Incident Reporting Form within 24 hours. Accordingly, the Security Directive and the forthcoming CIRCIA rules present what should be an ideal opportunity for elimination of the requirements under the security directives, or, at the very least, harmonization.”
AAR and ASLRRA concluded that the proposed rule “would include too many entities and too many incidents, and it seeks to collect and require retention of too much information.” These issues, unless addressed, “will result in excessive and superfluous reports, which will hamper CISA’s ability to analyze threats and share defensive measures with the speed and accuracy that would make such information valuable,” they said. “Furthermore, burdensome retention requirements and unclear harmonization embraces more targeted reporting requirements and greater harmonization will ultimately result in fewer unnecessary burdens and greater utility from the information shared.”
