Date filed: November 14, 2022
Agency: U.S. Cybersecurity and Infrastructure Security Agency (CISA)
Summary: In comments on CISA’s Request for Information on the implementation of cyber incident and ransom payment reporting requirements as directed by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), EPSA highlights several existing cyber and physical security regulatory regimes which oversee the electric industry, particularly NERC Critical Infrastructure Protection (CIP) standards. Thus, EPSA recommends that CISA consider existing standards and regulations where applicable for development of definitions and requirements. This would maintain consistency, maximize efficiency, and allow for deference to more stringent existing regimes – resulting in a more streamlined and useful rollout of the requirements in a CIRCIA final rule.