Tech group identifies considerations to scope key definitions for CISA incident reporting regime

The Information Technology Industry Council has outlined considerations for CISA to evaluate as the agency works through defining what a “covered entity” and “covered cyber incident” should be under its upcoming incident reporting regulation.

The Cyber Incident Reporting for Critical Infrastructure Act, known as “CIRCIA,” directs CISA to establish a mandatory regime where incidents must be reported within 72 hours and 24 hours for ransomware payments. The March law gives CISA 24 months to release a notice of proposed rulemaking,...