NERC urged the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to ensure that future rules on reporting cybersecurity incidents are in harmony with existing requirements and that it continue collaborating with utilities and their regulators during the rulemaking process.

Additional ERO Enterprise stakeholders, including the ISO/RTO Council (IRC), the National Rural Electric Cooperative Association and the Electric Power Supply Association, participated in the comment period for CISA’s Notice of Proposed Rulemaking that concluded last week. The agency opened the comment period in April with an initial 60-day deadline, which later was extended to 90 days. (See CISA Seeks Comment on Proposed Cyber Reporting Rules.)

The NOPR stems from the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), passed in 2022, which requires entities in critical infrastructure sectors — including energy — to report relevant cyber and ransomware incidents to CISA within 72 hours. CIRCIA left to CISA the authority for defining which incidents would be subject to reporting and which additional sectors, if any, the requirements would cover.

In its proposal, CISA said it would use the authority granted by the law to “fill … key gaps in the current cyber incident reporting landscape” and create a “comprehensive and coordinated approach” to cyber incident reporting.

The NOPR included a web-based form that would be the only official option for submitting incident reports, along with definitions of key terms such as “cyber incident,” “covered cyber incident” and “information system.” It also proposed details of content to be included in incident reports, such as whether victims requested assistance from other entities and their engagement with law enforcement agencies related to the ransomware or cyberattack.

NERC’s response to CISA noted that the ERO’s Critical Infrastructure Protection (CIP) reliability standards already address cybersecurity risks, including requirements for reporting cyber incidents to both the agency and the Electricity Information Sharing and Analysis Center (E-ISAC). Along with the CIP standards, electric utilities also are required to report certain cyber and physical security incidents to the U.S. Department of Energy through Form OE-417; entities may submit their OE-417 reports to the E-ISAC in place of CIP reports.

The ERO said “there are many commonalities between” the CIP reporting requirements, OE-417, and the proposed CIRCIA requirements. Noting CISA’s statement that it is “committed to working with DOE, FERC and NERC” to allow entities to comply with all three reporting regimes through a single report “to the extent practicable,” NERC said it “looks forward to working with its government partners to explore options to reduce regulatory burden and avoid unnecessary duplication.”

NERC also requested that CISA provide a mechanism for sharing CIRCIA reports with the E-ISAC and its counterparts in other industries. The ERO said that “ISACs are uniquely positioned … to amplify CISA’s analysis throughout their respective sectors and to enrich [it] with sector-specific information.”

“The E-ISAC understands that in certain instances there may be privacy-related concerns with sharing attributable information with ISACs without the consent of the submitting entity,” NERC said. “The E-ISAC respectfully requests that CISA develop a process for obtaining consent for sharing attributable information and, where that is not possible, removing identifiable information from the reports and its analysis to be able to share relevant information with ISACs and their members free of any security and privacy-related issues.”

Other Stakeholders Respond

Like NERC, the IRC encouraged CISA to “continue its education, outreach, and collaboration efforts” with NERC and the E-ISAC, other government agencies, and the ISOs and RTOs, specifically by soliciting stakeholder input on future information sharing agreements implemented under CIRCIA. In addition, the IRC suggested CISA hold a technical conference on the design of its web-based reporting form.

EPSA expressed concern about the proposed rule, calling it “extremely broad” and warning it may require “more extensive reporting than the detailed regimes under which EPSA members currently operate.” The association urged CISA to refine its definition of “covered cyber incident” to avoid requiring reports on “less critical incidents” that might take up entities’ time and resources unnecessarily.

NRECA also described CISA’s proposal as too broad, saying it applies “to all electric utilities regardless of size, location or resources, [which] includes hundreds of small distribution cooperatives that serve a relatively small number of meters.” This broad applicability “exceeds Congress’ intent in the CIRCIA legislation,” NRECA said, suggesting CISA limit its criteria to be risk-based so it covers entities that can provide the “most relevant and actionable information.”