EDUCAUSE Reiterates Concerns Over CISA's Cyber Incident Reporting Proposed Rule

EDUCAUSE recently sent a letter to the Cybersecurity and Infrastructure Agency (CISA) of the Department of Homeland Security (DHS) to reemphasize the primary concerns of the higher education community regarding CISA's notice of proposed rulemaking (NPRM) that establishes parameters for cyber incident reporting under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).^Footnote1 Although EDUCAUSE previously transmitted formal comments to CISA in response to the NPRM developed under the Biden administration, the Trump administration has since taken numerous executive actions related to regulatory and risk preparedness and to resilience objectives that align with the association's concerns about the proposal.^Footnote2 Given that the Trump administration will be tasked with concluding the regulatory process and issuing a final rule, EDUCAUSE's letter sought to contextualize the association's concerns with the NPRM in light of these executive actions.

Background: A Refresher on CIRCIA and the NPRM

President Biden signed CIRCIA into law in 2022. As its name suggests, CIRCIA sets forth parameters related to cyber incident reporting within critical infrastructure sectors and directs CISA to produce the regulations implementing the statute. CIRCIA required CISA to engage in substantive outreach to federal and nonfederal stakeholders as part of the regulatory process and produce final regulations by October 2025. As part of that process, CISA issued a request for information in 2022 that sought input on a variety of topics related to potential requirements for cyber incident reporting. The agency then released its NPRM in 2024.^Footnote3

The NPRM indicates that higher education institutions in general would be designated as "covered entities" under the proposal, which came as a surprise to EDUCAUSE and leaders in the institutional cybersecurity community.^Footnote4 DHS and CISA have not historically considered higher education writ large to be a critical infrastructure sector—although a traditionally recognized sector such as health care or defense may at times apply to a discrete part of a college or university. Moreover, CIRCIA defines a covered entity as "an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21 (PPD-21) . . . ," whereas PPD-21 does not reference educational facilities or higher education institutions at all, much less as a sector considered to be critical infrastructure.^Footnote5

However, the NPRM attempts to leverage a tenuous connection between higher education institutions and the Education Facilities Subsector (EFS), which is housed within the Government Facilities Sector (GFS), to make the case that colleges and universities should fall under the CIRCIA requirements. Only one EFS critical infrastructure plan exists to date, which focuses primarily on emergency management issues for K–12 educational facilities and makes only a few passing references to cybersecurity at higher education institutions.^Footnote6 Furthermore, PPD-21 was issued in 2013—three years after the release of that sole EFS critical infrastructure plan. The most recent, potentially relevant document—the 2015 GFS plan—only contains two references to higher education, neither of which mentions cybersecurity and one of which mistakenly asserts that PPD-21 incorporates the EFS into the GFS.^Footnote7 As discussed above, PPD-21 makes no mention of the EFS.

The Trump Administration and EDUCAUSE's 2025 Letter to CISA

Although the Biden administration developed and issued the NPRM, the second Trump administration is charged with completing the regulatory process—including reviewing public comments and finalizing the statutorily required regulation. Meanwhile, President Trump has directed agencies to review all regulations under their purview to identify those that are, among other things, "based on anything other than the best reading of the underlying statutory authority or provision" and "are based on unlawful delegations of legislative power." He has also directed relevant agencies to work with the White House to recommend to him the policy revisions required to enhance resilience and "shift from an all-hazards approach to a risk-informed approach."^Footnote8 The EDUCAUSE policy team found both executive actions to be particularly relevant, given our underlying concerns with the NPRM, and saw value in raising these issues with the new administration.

The Administration's Regulatory Review

EDUCAUSE's recent letter to CISA explains why the Biden administration's NPRM conflicts with the current administration's regulatory objectives, particularly in light of CIRCIA's requirement that CISA engage in substantive outreach to impacted stakeholders as part of the regulatory process.^Footnote9 For the reasons outlined above, higher education institutions had no reason to consider CISA's request for information process or public listening sessions as relevant. Moreover, EDUCAUSE is not aware of any outreach that CISA conducted to any higher education leadership or professional organization during the required stakeholder outreach activity. As stated above, the decision to include higher education institutions as covered entities in the proposal is based on a tenuous interpretation (at best) of the existing critical infrastructure documentation to date, and higher education is not mentioned in the only government memorandum (PPD-21) that CIRCIA references as the statutory basis for defining a covered entity.

The Administration's Resilience Enhancement Efforts

EDUCAUSE's letter also explains why CISA's NPRM runs counter to the administration's resilience enhancement efforts.^Footnote10 Rather than taking a risk-informed approach, the proposal embodies an all-hazards approach and specifically notes that "the overwhelming majority of entities in the United States . . . fit within one or more of the critical infrastructure sectors and thus would meet the definition of 'an entity in a critical infrastructure sector.'" The NPRM also explains that CISA "believes it is important to require reporting from IHE more broadly" to "ensure reporting from a sufficient cross-sector of entities to understand and be able to share information on threats to our nation's education facilities."^Footnote11 However, the NPRM, as developed and drafted, is not capable of achieving that objective by virtue of CISA's failure to meet its stakeholder outreach obligations. The government has failed to engage higher education institutions to determine what an appropriate cross-section looks like and to understand how leveraging the sector's preexisting reporting requirements across other jurisdictions could drive efficiencies that enhance overall resilience.

What's Next

CIRICA requires CISA to produce final regulations by October 2025. That said, it is unclear whether the agency will be able to complete its work over the next two months to meet that deadline. President Trump's nominee to serve as the director of CISA has yet to receive Senate confirmation, and a recent op-ed from a former CISA senior advisor articulates the challenges the agency may face in issuing a final rule by October.^Footnote12 EDUCAUSE will continue to monitor the administration's regulatory activity and CISA's efforts on cyber incident reporting to keep members apprised of developments.

Notes

1. EDUCAUSE letter to Madhu Gottumukkala, Cybersecurity and Infrastructure Security Agency, "Re: Notice of Proposed Rulemaking: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements," June 18, 2025; Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, "Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements," Federal Register 89, no. 66 (April 2024): 23644–23776; "Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)," Cyber Threats and Advisories, Information Sharing, U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, accessed July 31, 2025. Jump back to footnote 1 in the text.↩
2. EDUCAUSE et al., letter to Jennie M. Easterly, Director, Cybersecurity and Infrastructure Security Agency, "RE: Comments Concerning Docket Number CISA-2022-0010, 'Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements,'" July 1, 2024.Jump back to footnote 2 in the text.↩
3. Department of Homeland Security, Cybersecurity and Infrastructure Agency, "Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022," Federal Register 87, no. 175 (September 12, 2022).Jump back to footnote 3 in the text.↩
4. Jarret Cummings, "EDUCAUSE Pushes Back on Proposed Cyber Incident Reporting Regulations," EDUCAUSE Review, July 23, 2024.Jump back to footnote 4 in the text.↩
5. Cybersecurity and Infrastructure Security Agency, "CIRCIA Reporting Requirements,"23660; The White House, "Presidential Policy Directive—Critical Infrastructure Security and Resilience," press release, February 12, 2013. Jump back to footnote 5 in the text.↩
6. Education Facilities Sector-Specific Plan: An Annex to the Government Facilities Sector-Specific Plan (Washington, DC: U.S. Department of Homeland Security and U.S. Department of Education, 2010). Jump back to footnote 6 in the text.↩
7. Government Facilities Sector-Specific Plan: An Annex to the NIPP 2013(Washington, DC: U.S. Department of Homeland Security and the General Service Administration, 2015) Jump back to footnote 7 in the text.↩
8. The Executive Office of the President, Executive Order 14219 of February 19, 2025, "Ensuring Lawful Governance and Implementing the President's 'Department of Government Efficiency' Deregulatory Initiative," Federal Register 90, no. 36 (February 25, 2025): 10583; The Executive Office of the President, Executive Order 14239 of March 18, 2015, "Achieving Efficiency through State and Local Preparedness," Federal Register 90, no. 54 (March 21, 2025): 13267. Jump back to footnote 8 in the text.↩
9. EDUCAUSE letter to CISA, "Re: NPRM: CIRCIA Reporting Requirements," June 2025 Jump back to footnote 9 in the text.↩
10. Ibid.Jump back to footnote 10 in the text.↩
11. Cybersecurity and Infrastructure Security Agency, "CIRCIA Reporting Requirements," 23704, 23691.Jump back to footnote 11in the text.↩
12. Lauren Boas Hayes, "CISA Is Facing a Tight CIRCIA Deadline. Here's How Sean Plankey Can Attempt to Meet It," CyberScoop, July 30, 2025. Jump back to footnote 12 in the text.↩

Kathryn Branson is a Partner at Ulman Public Policy.