EDUCAUSE Comments: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements

Abstract

On July 1, 2024, EDUCAUSE joined with the American Association of Collegiate Registrars and Admissions Officers (AACRAO), the Association of American Universities (AAU), the Association of Governing Boards of Universities and Colleges (AGB), the Association of Public and Land-grant Universities (APLU), and the National Association of Independent Colleges and Universities (NAICU) to submit comments regarding the reporting requirements proposed by the Cybersecurity and Infrastructure Security Agency (CISA) under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

The associations raised concerns about a number of issues, including:

• The lack of outreach to the higher education community regarding the proposed regulations, especially given the novel basis on which CISA proposes to apply them to colleges and universities.
• The need to shield covered entities from redundant reporting to other federal agencies while CISA works to implement the CIRCIA measures intended to mitigate such redundancy.
• The importance of further engagement by CISA with the stakeholder community to provide a solid, shared foundation for determining what constitutes a reportable incident.
• The need for CISA to clarify and narrow the scope of required information, reassure covered entities about the security of reported information and the overall reporting process, and revise the proposed information preservation timeframe and requirements.
• A request for confirmation that public colleges and universities fall within the State, Local, Tribal, and Territorial (SLTT) Government Entity exception to enforcement, and for the introduction of an appeals process regarding the parameters of a request for information issued under the regulations’ enforcement provisions.