Several higher education associations joined EDUCAUSE in responding to proposed federal regulations mandating cyber incident reporting. Among other key points, the associations argued that the issuing agency, CISA, intends to apply vague requirements to higher education without consulting the higher education community or considering the impacts of the requirements.
Earlier this year, the Cybersecurity and Infrastructure Security Agency (CISA) issued proposed cyber incident reporting regulations under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Surprisingly, the notice of proposed rulemaking (NPRM) indicates that CISA intends for the scope of the proposed regulations to include all higher education institutions participating in federal student aid programs under Title IV of the Higher Education Act (HEA)—in other words, virtually every college and university in the country.Footnote1
Historically, the Department of Homeland Security (DHS) and CISA have not considered higher education to be a critical infrastructure sector. A relevant sector, such as health care or defense, might apply to a discrete aspect of a higher education institution, but the institution as a whole is not treated as a critical infrastructure entity. In the proposed CIRCIA regulations, however, CISA states that it would leverage the Educational Facilities Subsector (EFS) of the Government Facilities Sector—one of the sixteen federally designated critical infrastructure sectors—to designate all Title IV institutions as "covered entities" subject to federally mandated cyber incident reporting requirements.
EDUCAUSE joined with the American Association of Collegiate Registrars and Admissions Officers (AACRAO), the Association of American Universities (AAU), the Association of Governing Boards (AGB), the Association of Public and Land-grant Universities (APLU), and the National Association of Independent Colleges and Universities (NAICU) to file comments challenging the proposed application of the CIRCIA regulations to higher education institutions and raising concerns about many other aspects of the proposed rule. The associations note that the EFS and GFS have little to no involvement in higher education institutions, reflecting the reality that while some parts of some institutions may fall under a critical infrastructure sector, higher education as a sector does not fall within the critical infrastructure framework. Therefore, we argue that the proposed inclusion of higher education in the scope of the CIRCIA regulations is inappropriate. In addition, we highlight the lack of engagement by CISA and the EFS "sector-specific agency," namely the U.S. Department of Education (ED), with the higher education community regarding this sudden change in designation.Footnote2 This lack of communication represents a failure by CISA to fulfill its obligation under CIRCIA to engage in stakeholder outreach and consultation as part of this rulemaking, and by CISA and ED to fully consult with the higher education institutional community before issuing final regulations (should CISA continue to assert regulatory oversight of higher education under CIRCIA).
The comments also highlight the concern among the associations regarding the approach proposed by CISA for implementing the "redundant reporting" exception in CIRCIA. CISA states that the proposed rule would require it and a fellow federal agency to reach a "CIRCIA Agreement" that ensures CISA will receive the same information it would receive absent redundant reporting within the same time frame specified by the regulations.Footnote3 However, CISA does not commit to having such agreements in place before the final rule is issued; rather, it indicates that it will work in good faith with other relevant agencies to reach CIRCIA Agreements.
From the perspective of the higher education associations that submitted comments on the proposed rule, colleges and universities should not have to bear the burden of redundant cyber incident reporting to the federal government due to the failure of federal agencies to align requirements and processes where they reasonably can. Accordingly, we propose that CISA delay the effective date of the regulations for up to two years for sectors or subsectors where the likelihood of a CIRCIA Agreement to mitigate redundant reporting is likely. In addition, we recommend that CISA work with federal agencies for which a CIRCIA Agreement is not an option to incorporate their reporting requirements into the reporting infrastructure for CIRCIA.Footnote4 While such an approach would not eliminate the overhead problems that institutions will face due to the broad array of federal cyber incident reporting requirements they must meet, it could provide a one-stop site for federal cyber incident reporting and simplify the institutional response to such requirements.
Regarding the proposed criteria for determining whether an incident is reportable under CIRCIA, the associations expressed appreciation that CISA allows for judgment and discretion in deciding whether an incident is sufficiently "serious," "substantial," or disruptive to clear the reporting threshold. Nevertheless, we argue that CISA must provide more context for the proposed criteria to ensure that covered entities have the same understanding as CISA regarding the interpretation and application of each. The NPRM for CIRCIA provides only a few general examples for each criterion, which is insufficient to facilitate good-faith compliance. Thus, EDUCAUSE and its fellow associations urge CISA to work with stakeholders to develop a set of guiding principles and a related compliance framework.Footnote5 Together, these resources could provide a more substantive basis for covered entities to make decisions about CIRCIA incident reporting with some assurance that their determinations will align with the views of CISA.
Additionally, CISA proposes that a covered entity consider any incident originating from a system/service/data management provider or a supply chain compromise as reportable, regardless of whether it would otherwise qualify as "serious," "substantive," or disruptive by the covered entity.Footnote6 The associations note that this criterion inappropriately places the reporting burden for a provider's incident on its clients. Thus, CISA should revisit its determination of the covered entities in the IT critical infrastructure sector to ensure that it encompasses the system, services, data management, and software providers in question. In the absence of such a step, CISA should implement a simple, low-overhead notification process for covered entities to alert CISA of provider-based incidents that otherwise wouldn't be reportable by the entities themselves.Footnote7 This approach would leverage select elements of the online reporting form and system that CISA already plans to implement, thus mitigating the overhead costs for CISA and reducing the reporting burden for incidents that originate with a provider or supply chain issue.
The proposed regulations would require covered entities to preserve all records and information related to a reported incident in their original format for two years from the last report made to CISA about the incident. Feedback from EDUCAUSE members indicates that such a requirement could quickly become a financial and process drain for institutions, depending on the affected data and systems and the storage capacity and capabilities of those systems. For example, an enterprise resource planning (ERP) system breach could require a copy of the relevant system software and associated data to be maintained separately and apart from the system and database that are in active use for two years or more, as the preservation time frame would reset every time a covered entity updates its original report. EDUCAUSE and its fellow associations suggest various alternative options that would allow for the preservation of and access to relevant information without imposing a significant overhead burden. For example, CISA could limit the "original format" requirement to systems or data for which the format is truly relevant to the forensic analysis. Likewise, CISA could implement a step-down process in which all incident records and information are maintained in their original format for ninety days, after which covered entities can convert the records and information to more readily stored but still readily accessible formats unless CISA notifies the entity of the need to extend the "original format" time frame.Footnote8
Finally, CISA notes in the NPRM that CIRCIA exempts state, local, tribal, and territorial (SLTT) government entities from regulatory enforcement. Therefore, that exemption is included explicitly in the proposed regulations.Footnote9 Given that public colleges and universities would generally be understood as SLTT entities, EDUCAUSE and its fellow associations requested that CISA expressly acknowledge that the SLTT enforcement exemption also applies to public higher education institutions. Additionally, we asked CISA to modify the initial request for information (RFI) enforcement step under the proposed regulations to allow covered entities to appeal key elements of an RFI. Under the proposed rule, CISA would not allow entities to appeal the issuance of an RFI.
CIRCIA mandates that CISA produce the final version of the regulations within eighteen months of the proposed regulations. Since the CIRCIA NPRM was released in April, the final regulations must be issued in October 2025. EDUCAUSE and its fellow associations remain hopeful that CISA and ED will engage with the higher education community between now and October 2025 to substantially revise its approach to colleges and universities in relation to CIRCIA, assuming that CISA does not revert to its historical treatment of higher education institutions as generally noncritical infrastructure entities. We will continue to monitor the CIRCIA landscape for new developments and provide members with the best possible information concerning the potential effects of CIRCIA regulations on higher education.
Notes
- Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, "Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements," Federal Register 89, no. 66 (April 2024): 23644-23776. Jump back to footnote 1 in the text.
- EDUCAUSE et al. letter to Jennie M. Easterly, Director, Cybersecurity and Infrastructure Security Agency, "RE: Comments Concerning Docket Number CISA-2022-0010, 'Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements,'" July 1, 2024. Jump back to footnote 2 in the text.
- Ibid. Jump back to footnote 3 in the text.
- Ibid. Jump back to footnote 4 in the text.
- Ibid. Jump back to footnote 5 in the text.
- "CIRCIA Reporting Requirements," Federal Register, 23644-23776. Jump back to footnote 6 in the text.
- "Comments Concerning 'Cyber Incident Reporting for Critical Infrastructure Act,'" July 1, 2024. Jump back to footnote 7 in the text.
- Ibid. Jump back to footnote 8 in the text.
- "CIRCIA Reporting Requirements," Federal Register, 23644-23776. Jump back to footnote 9 in the text.
Jarret Cummings is Senior Advisor, Policy and Government Relations, at EDUCAUSE.
© 2024 EDUCAUSE. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.