REQUEST FOR COMMENT
DOCKET NO. CISA-2022-0010
Cyber Florida
The Florida Center for Cybersecurity (also known as Cyber Florida) was established within the University of South Florida in 2014 under Florida statute 1004.444. The goals of the center are to: position Florida as a national leader in cybersecurity and its related workforce through education, research, and community engagement; assist in the creation of jobs in the state’s cybersecurity industry and enhance the existing cybersecurity workforce; act as a cooperative facilitator for state business and higher education communities to share cybersecurity knowledge, resources, and training; seek out partnerships with major military installations to assist, when possible, in homeland cybersecurity defense initiatives; attract cybersecurity companies to the state with an emphasis on defense, finance, health care, transportation, and utility sectors.
With the shared mission of promoting cybersecurity awareness and enhancing the cyber resiliency of our Nation, Cyber Florida is eager to provide comments on the Cyber Incident Reporting for Critical Infrastructure Act.
Comment
As it relates to the term “covered entities”, it appears that CISA has expanded this definition to include a very broad range of organizations that exceed small business size standards or meet at least one sector-based criterion, regardless of size. The issue we see with this categorization is the ability and bandwidth of small businesses that are deemed a “covered entity” to comply with the reporting requirements set forth in the Act. Many small businesses that will fall under this definition may not have the capability, resources, or manpower to not only respond operationally to a significant cyber incident, but to also follow required reporting procedures within the specified timeframe. Such requirements may prove to be extremely burdensome on small businesses, if not unattainable, due to the sheer lack of resources and trained cybersecurity professionals at their disposal, placing them largely at risk of noncompliance and unjustly on the receiving end of the outlined enforcement protocols.
While we agree that there is significant benefit in prompt and comprehensive reporting across sectors, we must commit to providing the resources and support necessary for each covered entity to facilitate proper and accurate reporting, as well as to respond to a substantial cyber incident. Resources outlining the way in which an entity can determine if it is considered covered is necessary, as well as specific instructions on the reporting process and the information that is required to be reported. Additionally, CISA’s continued efforts to address the cybersecurity workforce shortage through education and training is paramount in enhancing the cybersecurity posture of the Nation. CISA may also consider implementing sector specific reporting guidelines and timeframes, as cybersecurity challenges may differ across critical infrastructure, and the impact to public safety and security if an entity should undergo a cyber incident may also vary. Tailoring the reporting requirements to the unique needs of each sector should provide CISA with more accurate incident information and ease some of the burden on those who may be considered less critical.
Finally, harmonization of cybersecurity reporting requirements is crucial to reduce redundancy and avoid onerous compliance standards for covered entities. We acknowledge that CISA has taken steps to address this issue and commend their efforts in doing so. However, we believe that a single, centralized reporting mechanism will not only decrease the administrative burden on covered entities, but may also provide CISA and others with consistent and rapid incident information to, in turn, determine a quick and proper response plan with sufficient resource allocation. Overall, collaboration and coordination across federal agencies in terms of cyber incident reporting requirements will facilitate more successful and efficient reporting from critical infrastructure, ultimately enhancing cyber incident response and recovery.
Conclusion
Cyber Florida is grateful for the opportunity to provide comments on the Cyber Incident Reporting for Critical Infrastructure Act. We support this objective and commend CISA for their leadership and efforts in this area.
Contributing Authors
Jordan Deiuliis
Senior Cyber Program and Policy Analyst
Cyber Florida: The Florida Center for Cybersecurity
Contact Information
Ernie Ferraresso eferraresso@cyberflorida.org 813 974 1869
Director
Cyber Florida: The Florida Center for Cybersecurity