The National Association of Manufacturers (NAM) has expressed concerns over the proposed cyber attack reporting requirements by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The draft rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act mandates that "covered entities" in critical infrastructure sectors report major cyber incidents to CISA within 72 hours, and any ransomware payments within 24 hours.
CISA estimates that the rule could impact more than 300,000 entities. NAM argues that many of these organizations are either not genuinely part of "critical infrastructure" or lack the resources to comply with the requirements within the specified time frame. In a letter submitted to CISA on July 2, NAM pointed out that using North American Industry Classification System (NAICS) codes results in an overly broad inclusion of companies engaged in manufacturing various products, including those whose disruption would not threaten national security.
“At a minimum, we recommend that CISA drill down much more granularly — below 6-digit NAICS codes — to only cover the manufacturing of specific product categories that are genuinely critical to our national security, national economic security, or national public health or safety,” stated NAM's letter.
Additionally, NAM criticized the proposed rules for mandating extensive reporting from companies during their recovery from cyberattacks. Charles Crain, NAM Vice President of Domestic Policy, urged CISA to reduce both the number of entities required to report and the scope of incidents needing disclosure. “Doing so will ensure that CISA receives useful information about cybersecurity incidents — without overburdening manufacturers with overbroad and unworkable disclosure requirements,” he said.
