.png)
OT Cyber Coalition Applauds Congress for Exploring Issues with CIRCIA Implementation
- ksills6
- Mar 17
- 3 min read
On Tuesday, March 11, 2025, the U.S. House of Representatives Cybersecurity and Infrastructure Protection Subcommittee for the Homeland Security Committee held a hearing examining what impact current and proposed regulations have on improving our cybersecurity posture (More info: Regulatory Harm or Harmonization? Examining the Opportunity to Improve the Cyber Regulatory Regime).
The hearing touched on incident reporting, industry and government engagement, cyber resilience, and in particular the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
The Operational Technology Cybersecurity Coalition (OTCC) applauds the House Committee on Homeland Security for advocating for and prioritizing cybersecurity in the 119th Congress. We strongly support the Cybersecurity and Infrastructure Security Agency (CISA) and CIRCIA and seek to ensure that they are successful in addressing cybersecurity threats faced by critical infrastructure owners and operators.
Witnesses Scott Aaronson, Heather Hogsett, Robert Mayer, and Ari Schwartz raised concerns with the way in which the CIRCIA proposed rule was drafted and coordinated, and recommended additional industry engagement with CISA before a final rule is issued. The OTCC agrees with this expert assessment. As OTCC has previously stated, it is critical that the rules and requirements are properly assessed so the government can best protect critical infrastructure without overburdening companies in the midst of responding to a cyberattack.
OTCC recommends additional engagement to address three key issues with CIRCIA: definitions, coverage of operational technology and excessive reporting requirements.
1. Definitions
OTCC is concerned with the overly broad definition of a “covered entity” in critical infrastructure, as well as the expansive definition of a “covered cyber incident” as defined by CISA in the CIRCIA draft rule. We believe that the definitions require further specificity and would like to be a resource in this discussion.
2. Coverage of operational technology
OTCC appreciates the CIRCIA draft rule finding that operational technology is encompassed in the definition of “information system” contained within 6 U.S.C. 650(14). The Coalition also agrees with the inclusion of the words “operational technology systems” within the definition in the proposed rule’s efforts to avoid any misinterpretations about whether OT is encompassed by the law’s definition of information systems. We offer the OTCC’s member companies’ expertise to ensure that operational technology is sufficiently considered within this new regulation governing cyber incident reporting.
3. Excessive reporting requirements
The duplicative and overly broadened reporting requirements outlined by the proposed CIRCIA rule for critical infrastructure owners, operators, and other critical sectors should be reassessed. In applying these reporting requirements for IT based on entity size, the proposed rule applied three prongs of cybersecurity risk: consequence, risk, and vulnerability. A comparable approach should be taken with OT, as a blanket application of reporting requirements to OT Original Equipment Manufacturers (OEMs), vendors, and integrators does not reflect those considerations.
The OTCC supports CIRCIA and encourages CISA to expand and restart conversations with industry to ensure the final rule considers the realities that industry needs to provide stronger security, rather than additional compliance burden as we seek to secure U.S. critical infrastructure. OTCC advocates that the government pursue more public/private partnerships and looks forward to being a resource for the new administration and congress on all things related to operational technology.
Related posts:
Comments