CISA Issues Request for Information for Cyber Incident Reporting Rulemaking

min read

Colleges and universities are not subject to the law requiring cyber incident reporting to the Cybersecurity and Infrastructure Security Agency (CISA). However, details of the agency's regulatory process, starting with its recent request for information, are worth noting, given their general implications for federal policy on cyber incident reporting.

On September 12, the Cybersecurity and Infrastructure Security Agency (CISA) introduced a Request for Information (RFI) on the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The RFI marks the first step in the regulatory process for CISA as it moves forward with its anticipated Notice of Proposed Rulemaking (NPRM).Footnote1

CISA is issuing this RFI to receive input from interested stakeholders on "potential aspects" of the anticipated NPRM prior to its publication. According to the RFI, CISA is searching for input on "definitions for and interpretations of the terminology to be used in the proposed regulations; the form, manner, content, and procedures for submission of reports required under CIRCIA; information regarding other incident reporting requirements including the requirement to report a description of the vulnerabilities exploited; and other policies and procedures, such as enforcement procedures and information protection policies, that will be required for implementation of the regulations."Footnote2

Specifically, the RFI seeks input on the following topics, in addition to other input:

  • The definition of "covered entity"
  • The definition of "covered cyber incident" and "substantial cyber incident"
  • The definition of "ransom payment" and "ransomware attack" and the time at which the twenty-four-hour deadline for reporting such incidents begins
  • What constitutes "reasonable belief" that a covered cyber incident has occurred to initiate the seventy-two-hour deadline for reporting such incidents
  • The costs associated with compiling and reporting information about a cyber incident, the use of a third-party entity to submit a cyber incident report or ransom payment report on behalf of a covered entity, and the retention of data related to cyber incidents

It is important to remember that the requirements of CIRCIA will apply to entities that fall within the Department of Homeland Security's long-established list of "critical infrastructure" sectors, which does not include higher education. An earlier iteration of the bill would have subjected higher education institutions to cyber incident reporting requirements alongside all other "federal contractors," but that version was ultimately replaced by the iteration that was included in the Consolidated Appropriations Act, which was signed into law in March 2022.Footnote3


  1. Katie Branson, "CISA Cyber Incident Reporting Rulemaking Is on the Horizon," EDUCAUSE Review, September 20, 2022. Jump back to footnote 1 in the text.
  2. Department of Homeland Security, "Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022," Federal Register 87 no. 175 (September 12, 2022): 55833. Jump back to footnote 2 in the text.
  3. Jarret Cummings, "Good News on Cyber Incident Reporting Bill," EDUCAUSE Review, March 25, 2022. Jump back to footnote 3 in the text.

Bailey Graves is an Associate at Ulman Public Policy.

© 2022 EDUCAUSE. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.