AGENCY:

Cybersecurity and Infrastructure Security Agency, DHS.

ACTION:

Proposed rule; extension of comment period.

SUMMARY:

On April 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published a proposed rule in the Federal Register , the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which proposes regulations implementing the statute's covered cyber incident and ransom payment reporting requirements for covered entities. CISA is extending the public comment period for the proposed rulemaking for an additional 30 days through July 3, 2024, in response to comments received from the public requesting additional time.

DATES:

The comment period for the proposed rulemaking published on April 4, 2024, at 89 FR 23644 is extended an additional 30 days. Comments and related material must be submitted on or before July 3, 2024.

ADDRESSES:

You may send comments, identified by docket number CISA-2022-0010, through the Federal eRulemaking Portal available at http://www.regulations.gov.

Instructions: All comments received must include the docket number for this rulemaking. All comments received will be posted to https://www.regulations.gov, including any personal information provided. If you cannot submit your comment using https://www.regulations.gov, contact the person in the FOR FURTHER INFORMATION CONTACT section of this proposed rule for alternate instructions. For detailed instructions on sending comments and additional information on the types of comments that are of particular interest to CISA for this proposed rulemaking, see the SUPPLEMENTARY INFORMATION section of the proposed rulemaking document.

Docket: For access to the docket and to read background documents mentioned in this proposed rule and comments received, go to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT:

Todd Klessman, CIRCIA Rulemaking Team Lead, Cybersecurity and Infrastructure Security Agency, circia@cisa.dhs.gov, 202-964-6869.

SUPPLEMENTARY INFORMATION:

Background and Discussion

On April 4, 2024, CISA published a notice of proposed rulemaking, “Cyber Incident Reporting for Critical Infrastructure Act Reporting Requirements” (89 FR 23644), which proposes a rulemaking required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). See 6 U.S.C. 681-681g; Public Law 117-103, as amended by Public Law 117-263 (Dec. 23, 2022). The proposed rule provided for a 60-day comment period which was scheduled to close on June 3, 2024.

CISA received comments requesting that the agency consider extending the comment period for an additional 30 days. Requesters cited the complexity inherent in addressing cybersecurity within critical infrastructure sectors, the potential impact of this rulemaking on each critical infrastructure sector, and the need for additional time to sufficiently review and comment. In response to these requests, CISA has decided to extend the public comment period by 30 days. The comment period is now open through July 3, 2024.

Public Participation and Requests for Comments

CISA is including in the docket a draft privacy and civil liberties guidance document that would apply to CISA's retention, use, and dissemination of personal information contained in a CIRCIA Report and guide other Federal departments and agencies with which CISA will share CIRCIA Reports. CISA encourages interested readers to review this draft guidance and to submit comments on it. Commenters should clearly identify which specific comment(s) concern the draft guidance document.

CISA will accept comments no later than the date provided in the DATES section of this document. Interested parties may submit data, comments, and other information using any of the methods described in the ADDRESSES section of this document. To ensure appropriate consideration of your comment, indicate the specific section of this proposed rule and, if applicable, the specific comment request number associated with the topic to which each comment applies; explain a reason for any suggestion or recommendation; and include data, information, or authority that supports the recommended course of action. Comments submitted in a manner other than those described above, including emails or letters sent to Department of Homeland Security or CISA officials, will not be considered comments on the proposed rule and may not receive a response from CISA.

Instructions to Submit Comments. If you submit a comment, you must submit it to the docket associated with CISA Docket Number CISA-2022-0010. All submissions may be posted, without change, to the Federal eRulemaking Portal at www.regulations.gov and will include any personal information that you provide. You may choose to submit your comment anonymously. Additionally, you may upload or include attachments with your comments. Do not upload any material in your comments that you consider confidential or inappropriate for public disclosure. Do not submit comments that include trade secrets, confidential commercial or financial information, Protected Critical Infrastructure Information, Sensitive Security Information, or any other protected information to the public regulatory docket. Please submit comments containing protected information separately from other comments by contacting the individual listed in the FOR FURTHER INFORMATION CONTACT section below for instructions on how to submit comments that include protected information. CISA will not place comments containing protected information in the public docket and will handle them in accordance with applicable safeguards and restrictions on access. CISA will hold such Start Printed Page 37142 comments in a separate file to which the public does not have access and place a note in the public docket documenting receipt. If CISA receives a request for a copy of any comments submitted containing protected information, CISA will process such a request consistent with the Freedom of Information Act (FOIA), 5 U.S.C. 552, and the Department's FOIA regulation found in part 5 of title 6 of the Code of Federal Regulations (CFR).

To submit a comment, go to www.regulations.gov, type CISA-2022-0010 in the search box and click “Search.” Next, look for the CIRCIA Federal Register notice of proposed rulemaking in the Search Results column, and click on it. Then click on the Comment option. If you cannot submit your comment by using https://www.regulations.gov, call or email the point of contact in the FOR FURTHER INFORMATION CONTACT section of this document for alternate instructions.

Viewing material in docket. For access to the docket and to view documents mentioned in the CIRCIA NPRM as being available in the docket, go to https://www.regulations.gov, search for the docket number provided in the previous paragraph, and then select “Supporting & Related Material” in the Document Type column. Public comments will also be placed in the docket and can be viewed by following instructions on the Frequently Asked Questions web page https://www.regulations.gov/​faq. The Frequently Asked Questions page also explains how to subscribe for email alerts that will notify you when comments are posted or if another Federal Register document is published. CISA will review all comments received. CISA may choose to withhold information provided in comments from public viewing or to not post comments that CISA determines are off-topic or inappropriate.