Citizen Portal
Sign In

House Homeland Security hearing urges CISA and other agencies to revise cyber incident reporting rule and harmonize regulations

2578573 · March 12, 2025

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

The House Committee on Homeland Security’s subcommittee on cybersecurity and infrastructure protection opened a hearing to examine federal cyber regulatory fragmentation and the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCEA or CERCEA).

The House Committee on Homeland Security’s subcommittee on cybersecurity and infrastructure protection opened a hearing to examine federal cyber regulatory fragmentation and the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCEA or CERCEA). Chairman Garberino said the panel’s purpose was “to evaluate the effectiveness of the federal cyber regulatory regime and to identify opportunities to harmonize cyber regulations across the federal government.”

The committee pressed CISA and other regulators to revise the agency’s proposed CIRCEA rule, arguing the draft is too broad, risks overwhelming CISA with low‑value reports and could divert industry resources away from incident response. The subcommittee’s ranking member, Representative Eric Swalwell, said the proposed rule had not sufficiently incorporated private‑sector feedback and urged CISA to reengage stakeholders before issuing a final regulation.

Why it matters: witnesses and members said duplicative reporting requirements across dozens of federal agencies are taxing security teams and reducing time spent on remediation. Heather Hogshead, senior vice president and deputy head of BITS at the Bank Policy Institute, told the subcommittee that banks’ security teams can spend “30 to 50% of their time on compliance and examiner management,” and that regulatory duplication can “detract from this vital work.” Scott Aronson of the Edison Electric Institute said the proposed rule risks creating “noise” that would make it harder for CISA to “ingest the information in meaningful way.”

What witnesses recommended: industry witnesses pressed for (1) a narrowed definition of covered entities and covered incidents so CISA receives only reports likely to indicate contagion or risk to critical services, (2) clearer limits so reporting is not duplicative with agency‑specific rules, (3) an ex parte stakeholder process to permit protected, candid engagement with industry, and (4) reauthorization of the Cybersecurity Information Sharing Act of 2015 to preserve liability and information‑sharing protections.

Scott Aronson, senior vice president for energy security and industry operations at the Edison Electric Institute, said incident reporting ‘‘can help industry and our government partners identify threats, see patterns, set policies, and prioritize risks to better protect critical infrastructure,’’ but added that ‘‘details matter when it comes to how CERCEA or any new cybersecurity policy is implemented.’’ Heather Hogshead of the Bank Policy Institute urged that the final rule ‘‘not extend beyond the authorities granted to it under the statute’’ and said some agencies’ bespoke requirements, especially the SEC’s cyber disclosure rule, are counterproductive.

Multiple witnesses and members singled out the SEC rule requiring certain public companies to disclose material cyber incidents within four business days, arguing it can force premature disclosure and hinder mitigation. ‘‘That rule should be rescinded,’’ Hogshead said, arguing it ‘‘undermines CERCEA and confidential reporting and unnecessarily complicates incident response.’’

Panelists also warned CISA lacks the staffing and analytic capacity to meaningfully process an excessive number of reports unless the agency’s rule is scoped to congressional intent. Witnesses cited prior government estimates and industry modeling that produced widely different report‑volume projections; Aronson described company modeling showing tens of thousands of reports over a decade under a broad interpretation of the proposed rule, while CISA estimates discussed by witnesses were in a different range, underscoring the need for clearer definitions.

Several witnesses recommended using the Critical Infrastructure Partnership Advisory Committee (CPAC) or a similar protected forum to conduct ex parte engagement. Ari Schwartz, coordinator of the Cybersecurity Coalition, said the coalition ‘‘suggest that [CISA] use an ex parte rulemaking process using the critical infrastructure partnership known as CPAC.’’ Committee members and witnesses raised alarms after the department moved to disband CPAC, calling any replacement or successor mechanism ‘‘vital to our ability to use that partnership effectively’’ and urging White House‑level coordination if necessary.

No formal votes or agency actions were taken at the hearing. Members signaled willingness to press CISA to reopen stakeholder engagement and to pursue statutory or oversight options—including revisiting the SEC rule—if the agency finalizes a rule that industry and members say exceeds congressional intent.

The hearing record shows broad bipartisan concern about harmonizing cyber regulations, narrowing CIRCEA’s scope, protecting sensitive information supplied to government, and reauthorizing the Cybersecurity Information Sharing Act of 2015 so that confidential, timelier information can flow between the private sector and government with liability protections.

Looking ahead: committee members said they will continue oversight, seek additional briefings from CISA and other agencies, and pursue legislative steps and interagency coordination to reduce duplicative reporting and protect national security while preserving useful incident reporting.