[{"_1":2,"_87":-5,"_88":-5},"loaderData",{"_3":4,"_26":27},"root",{"_5":6,"_17":10,"_18":19,"_20":21,"_22":10,"_23":-5,"_24":-5,"_25":10},"user",{"_7":8,"_9":10,"_11":10,"_12":-5,"_13":-5,"_14":15,"_16":-5},"roles",[],"isAuthenticated",false,"isPremium","planName","subscriptionStatus","featureFlags",{},"insightsBudget","isDevelopmentHost","userPreferences",{},"recaptchaSiteKey","6LcvOJcUAAAAAHsB-gPGfGktcRlKpH7OTIU_dMTD","isImpersonating","impersonation","affiliateStatus","isFreedomPortal","routes/v2/article/layout",{"_28":29,"_30":31},"notFound",true,"relatedArticles",[32,75],{"_33":34,"_35":36,"_37":38,"_39":40,"_41":42,"_43":44,"_45":46,"_47":48,"_49":50,"_51":52,"_53":54,"_55":56,"_57":58,"_59":60,"_61":62,"_63":64,"_65":66,"_67":68,"_69":70,"_71":72,"_73":72,"_74":72},"mediaId",6284517,"mediaKeyId","2578573-6ed374c7b7c37ea4905a122c3fad0c5a","parentId",2578573,"title","House Homeland Security hearing urges CISA and other agencies to revise cyber incident reporting rule and harmonize regulations","audioSeconds",219,"startMs",612000,"endMs",831000,"viewUrl","/Search/View?dp=1&key=2578573-6ed374c7b7c37ea4905a122c3fad0c5a&start=612&end=831","thumbnailUrl","https://assets.pipeline.soar.com/2578573-6ed374c7b7c37ea4905a122c3fad0c5a/thumbnail_612000.jpg","articleUrl","/articles/6284517/House-Homeland-Security-hearing-urges-CISA-and-other-agencies-to-revise-cyber-incident-reporting-rule-and-harmonize-regulations","mediaUrl","https://secure.pipeline.soar.com/6284517-150ea9fa1a668369e50e3ed1e7eabcfb/orig.mp4?Expires=1771003877&Signature=gXz5NSYLNYCo-~5TohDBHwc33phF8dkhI0m8JD2WiiwRvuYx26ECgw~G4Ve8hRQPNLsOVoZQPEwLmfesbMvtj~zohdhKIPhdMIB~0ZAzL7jRny6G02rUGLIHJCh9SJwhq8Fs7JmBmmE2QIX0Fuqu0i01EyrI~avetqCbMBhvNb~Jp0kahcWI5MsKkLqYST~f-CIH22lzQduuXXuHlTzqHv0A3E1g0cH-oVtH3PU7c7kGFxjWZTBAMEQuhiHKQeemuGtmmNGUZ7hmK08QrQ2xGRny8jvtsYC7aIxihoff6RB3r-JGX7X8YSFEgN8X1lxvkOYbke4m7nmWaPmPKVCpzw__&Key-Pair-Id=KUT5TJCACFTXG","author","U.S. House Committee on Homeland Security","date","2025-03-12T03:49:27Z","article","The House Committee on Homeland Security’s subcommittee on cybersecurity and infrastructure protection opened a hearing to examine federal cyber regulatory fragmentation and the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCEA or CERCEA). Chairman Garberino said the panel’s purpose was “to evaluate the effectiveness of the federal cyber regulatory regime and to identify opportunities to harmonize cyber regulations across the federal government.”

The committee pressed CISA and other regulators to revise the agency’s proposed CIRCEA rule, arguing the draft is too broad, risks overwhelming CISA with low‑value reports and could divert industry resources away from incident response. The subcommittee’s ranking member, Representative Eric Swalwell, said the proposed rule had not sufficiently incorporated private‑sector feedback and urged CISA to reengage stakeholders before issuing a final regulation.

Why it matters: witnesses and members said duplicative reporting requirements across dozens of federal agencies are taxing security teams and reducing time spent on remediation. Heather Hogshead, senior vice president and deputy head of BITS at the Bank Policy Institute, told the subcommittee that banks’ security teams can spend “30 to 50% of their time on compliance and examiner management,” and that regulatory duplication can “detract from this vital work.” Scott Aronson of the Edison Electric Institute said the proposed rule risks creating “noise” that would make it harder for CISA to “ingest the information in meaningful way.”

What witnesses recommended: industry witnesses pressed for (1) a narrowed definition of covered entities and covered incidents so CISA receives only reports likely to indicate contagion or risk to critical services, (2) clearer limits so reporting is not duplicative with agency‑specific rules, (3) an ex parte stakeholder process to permit protected, candid engagement with industry, and (4) reauthorization of the Cybersecurity Information Sharing Act of 2015 to preserve liability and information‑sharing protections.

Scott Aronson, senior vice president for energy security and industry operations at the Edison Electric Institute, said incident reporting ‘‘can help industry and our government partners identify threats, see patterns, set policies, and prioritize risks to better protect critical infrastructure,’’ but added that ‘‘details matter when it comes to how CERCEA or any new cybersecurity policy is implemented.’’ Heather Hogshead of the Bank Policy Institute urged that the final rule ‘‘not extend beyond the authorities granted to it under the statute’’ and said some agencies’ bespoke requirements, especially the SEC’s cyber disclosure rule, are counterproductive.

Multiple witnesses and members singled out the SEC rule requiring certain public companies to disclose material cyber incidents within four business days, arguing it can force premature disclosure and hinder mitigation. ‘‘That rule should be rescinded,’’ Hogshead said, arguing it ‘‘undermines CERCEA and confidential reporting and unnecessarily complicates incident response.’’

Panelists also warned CISA lacks the staffing and analytic capacity to meaningfully process an excessive number of reports unless the agency’s rule is scoped to congressional intent. Witnesses cited prior government estimates and industry modeling that produced widely different report‑volume projections; Aronson described company modeling showing tens of thousands of reports over a decade under a broad interpretation of the proposed rule, while CISA estimates discussed by witnesses were in a different range, underscoring the need for clearer definitions.

Several witnesses recommended using the Critical Infrastructure Partnership Advisory Committee (CPAC) or a similar protected forum to conduct ex parte engagement. Ari Schwartz, coordinator of the Cybersecurity Coalition, said the coalition ‘‘suggest that [CISA] use an ex parte rulemaking process using the critical infrastructure partnership known as CPAC.’’ Committee members and witnesses raised alarms after the department moved to disband CPAC, calling any replacement or successor mechanism ‘‘vital to our ability to use that partnership effectively’’ and urging White House‑level coordination if necessary.

No formal votes or agency actions were taken at the hearing. Members signaled willingness to press CISA to reopen stakeholder engagement and to pursue statutory or oversight options—including revisiting the SEC rule—if the agency finalizes a rule that industry and members say exceeds congressional intent.

The hearing record shows broad bipartisan concern about harmonizing cyber regulations, narrowing CIRCEA’s scope, protecting sensitive information supplied to government, and reauthorizing the Cybersecurity Information Sharing Act of 2015 so that confidential, timelier information can flow between the private sector and government with liability protections.

Looking ahead: committee members said they will continue oversight, seek additional briefings from CISA and other agencies, and pursue legislative steps and interagency coordination to reduce duplicative reporting and protect national security while preserving useful incident reporting.","mediaType","Video","parentTitle","Regulatory Harm or Harmonization? Examining the Opportunity to Improve the Cyber Regulatory Regime","oneSentenceSummary","The House Committee on Homeland Security’s subcommittee on cybersecurity and infrastructure protection opened a hearing to examine federal cyber regulatory fragmentation and the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCEA or CERCEA).","taxTitle","Homeland Security: House Committee, Standing Committees - House & Senate, Congressional Hearings Compilation, Legislative, Federal","taxId",1831,"location","","headline","shortSummary",{"_33":76,"_35":36,"_37":38,"_39":77,"_41":78,"_43":79,"_45":80,"_47":81,"_49":82,"_51":83,"_53":84,"_55":56,"_57":58,"_59":85,"_61":62,"_63":64,"_65":86,"_67":68,"_69":70,"_71":72,"_73":72,"_74":72},6284512,"Members, witnesses debate whether private sector should be allowed or credentialed to strike back against cyber attackers",7,3810000,3817000,"/Search/View?dp=1&key=2578573-6ed374c7b7c37ea4905a122c3fad0c5a&start=3810&end=3817","https://assets.pipeline.soar.com/2578573-6ed374c7b7c37ea4905a122c3fad0c5a/thumbnail_3810000.jpg","/articles/6284512/Members-witnesses-debate-whether-private-sector-should-be-allowed-or-credentialed-to-strike-back-against-cyber-attackers","https://secure.pipeline.soar.com/6284512-d49108b416029aa8e0d74a040f575261/orig.mp4?Expires=1771003877&Signature=fyBe6tc7EGCHD8-4PpujsWRYhwAfIPgI1M-Nqb~8wAAw41VEsjyrDCvEtRqxHmgvY0SZ0u3MH4NELKRy-Xdcy7adidtytECp72Sw0TUAq2cJZrixWqfmGsv0FH874kXamRPEfhhSOl-ynZUo3hriLqjMrn6sYz-QrIBELv5CF2~m9kiVwMefEI2p3PKyQX9IIv3PN~HcZOZkUqYpUZigj6~TQYE~rpRzK9sAYLAxb1plzb6yGnNFAtzK5Dwn50PeIjhdMuaWxKhRc-HVZ4Q973Zcejr1Bi8vmKw47ZYn~e2TXNRupt9sw1N1SfwIlRrRM-jAMxHST-g-9ZoIPX~1Yw__&Key-Pair-Id=KUT5TJCACFTXG","Members of the House Homeland Security subcommittee and witnesses debated whether private companies should be empowered to conduct offensive cyber operations against attackers, and what role the federal government should play in deterrence and retaliation.

Representative Anthony D. Jimenez (questioner) framed the issue bluntly: ‘‘The only way that you’re gonna stop this is if the offensive party fears more the retaliation than what we do,’’ and he urged exploring offensive options or other mechanisms that impose consequences on attackers. Several members said the United States lacked a consistent retaliatory posture for many attacks and that adversaries will continue to strike if they face no meaningful consequences.

Industry witnesses expressed caution. Scott Aronson of the Edison Electric Institute said, ‘‘Electric companies do not wanna be in offensive cyber engagements.’’ He and other witnesses said the private sector generally prefers defensive measures and reliance on government‑led offensive capabilities, where attribution, legal authority and national security tradeoffs can be handled by appropriate agencies.

Witnesses noted practical limits: many utilities and other critical providers lack the personnel and legal authority for offensive operations; engaging in offensive cyber activities risks escalation and unintended consequences; and incorrect attribution can cause diplomatic or operational harm. Robert Mayer of US Telecom and Ari Schwartz of the Cybersecurity Coalition urged deeper operational collaboration so industry can more quickly share indicators with government partners and, where appropriate, enable government to act.

No formal policy changes or authorizations were made at the hearing. Members and witnesses agreed on the need for better government‑industry coordination, clearer authorities, and more resources for defense, attribution and response. Several members suggested exploring credentialed third‑party teams or other mechanisms to expand capacity for deterrence under government oversight, but witnesses recommended careful deliberation and legal safeguards before any change.

The exchange illustrates a sustained tension in U.S. cyber policy: private entities control most critical infrastructure and encounter attacks frequently, but government agencies retain primary authority for offensive operations and escalation decisions. Committee members signaled interest in continuing oversight and exploring legislative or operational models to improve deterrence while avoiding uncontrolled private offensive action.","During the House Homeland Security hearing several members argued for stronger deterrence, including limited offensive options, while industry witnesses cautioned against private‑sector 'hack backs' and urged government leadership and safeguards.","actionData","errors"]

Article not found

House Homeland Security hearing urges CISA and other agencies to revise cyber incident reporting rule and harmonize regulations

Members, witnesses debate whether private sector should be allowed or credentialed to strike back against cyber attackers