[Federal Register Volume 89, Number 88 (Monday, May 6, 2024)]
[Proposed Rules]
[Pages 37141-37142]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-09505]


 ========================================================================
 Proposed Rules
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains notices to the public of 
 the proposed issuance of rules and regulations. The purpose of these 
 notices is to give interested persons an opportunity to participate in 
 the rule making prior to the adoption of the final rules.
 
 ========================================================================
 

  Federal Register / Vol. 89, No. 88 / Monday, May 6, 2024 / Proposed 
Rules  

[[Page 37141]]



DEPARTMENT OF HOMELAND SECURITY

6 CFR Part 26

[Docket No. CISA-2022-0010]
RIN 1670-AA04


Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) 
Reporting Requirements; Extension of Comment Period

AGENCY: Cybersecurity and Infrastructure Security Agency, DHS.

ACTION: Proposed rule; extension of comment period.

-----------------------------------------------------------------------

SUMMARY: On April 4, 2024, the Cybersecurity and Infrastructure 
Security Agency (CISA) published a proposed rule in the Federal 
Register, the Cyber Incident Reporting for Critical Infrastructure Act 
of 2022 (CIRCIA), which proposes regulations implementing the statute's 
covered cyber incident and ransom payment reporting requirements for 
covered entities. CISA is extending the public comment period for the 
proposed rulemaking for an additional 30 days through July 3, 2024, in 
response to comments received from the public requesting additional 
time.

DATES: The comment period for the proposed rulemaking published on 
April 4, 2024, at 89 FR 23644 is extended an additional 30 days. 
Comments and related material must be submitted on or before July 3, 
2024.

ADDRESSES: You may send comments, identified by docket number CISA-
2022-0010, through the Federal eRulemaking Portal available at http://www.regulations.gov.
    Instructions: All comments received must include the docket number 
for this rulemaking. All comments received will be posted to https://www.regulations.gov, including any personal information provided. If 
you cannot submit your comment using https://www.regulations.gov, 
contact the person in the FOR FURTHER INFORMATION CONTACT section of 
this proposed rule for alternate instructions. For detailed 
instructions on sending comments and additional information on the 
types of comments that are of particular interest to CISA for this 
proposed rulemaking, see the SUPPLEMENTARY INFORMATION section of the 
proposed rulemaking document.
    Docket: For access to the docket and to read background documents 
mentioned in this proposed rule and comments received, go to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Todd Klessman, CIRCIA Rulemaking Team 
Lead, Cybersecurity and Infrastructure Security Agency, 
[email protected], 202-964-6869.

SUPPLEMENTARY INFORMATION:

Background and Discussion

    On April 4, 2024, CISA published a notice of proposed rulemaking, 
``Cyber Incident Reporting for Critical Infrastructure Act Reporting 
Requirements'' (89 FR 23644), which proposes a rulemaking required by 
the Cyber Incident Reporting for Critical Infrastructure Act of 2022 
(CIRCIA). See 6 U.S.C. 681-681g; Public Law 117-103, as amended by 
Public Law 117-263 (Dec. 23, 2022). The proposed rule provided for a 
60-day comment period which was scheduled to close on June 3, 2024.
    CISA received comments requesting that the agency consider 
extending the comment period for an additional 30 days. Requesters 
cited the complexity inherent in addressing cybersecurity within 
critical infrastructure sectors, the potential impact of this 
rulemaking on each critical infrastructure sector, and the need for 
additional time to sufficiently review and comment. In response to 
these requests, CISA has decided to extend the public comment period by 
30 days. The comment period is now open through July 3, 2024.

Public Participation and Requests for Comments

    CISA is including in the docket a draft privacy and civil liberties 
guidance document that would apply to CISA's retention, use, and 
dissemination of personal information contained in a CIRCIA Report and 
guide other Federal departments and agencies with which CISA will share 
CIRCIA Reports. CISA encourages interested readers to review this draft 
guidance and to submit comments on it. Commenters should clearly 
identify which specific comment(s) concern the draft guidance document.
    CISA will accept comments no later than the date provided in the 
DATES section of this document. Interested parties may submit data, 
comments, and other information using any of the methods described in 
the ADDRESSES section of this document. To ensure appropriate 
consideration of your comment, indicate the specific section of this 
proposed rule and, if applicable, the specific comment request number 
associated with the topic to which each comment applies; explain a 
reason for any suggestion or recommendation; and include data, 
information, or authority that supports the recommended course of 
action. Comments submitted in a manner other than those described 
above, including emails or letters sent to Department of Homeland 
Security or CISA officials, will not be considered comments on the 
proposed rule and may not receive a response from CISA.
    Instructions to Submit Comments. If you submit a comment, you must 
submit it to the docket associated with CISA Docket Number CISA-2022-
0010. All submissions may be posted, without change, to the Federal 
eRulemaking Portal at www.regulations.gov and will include any personal 
information that you provide. You may choose to submit your comment 
anonymously. Additionally, you may upload or include attachments with 
your comments. Do not upload any material in your comments that you 
consider confidential or inappropriate for public disclosure. Do not 
submit comments that include trade secrets, confidential commercial or 
financial information, Protected Critical Infrastructure Information, 
Sensitive Security Information, or any other protected information to 
the public regulatory docket. Please submit comments containing 
protected information separately from other comments by contacting the 
individual listed in the FOR FURTHER INFORMATION CONTACT section below 
for instructions on how to submit comments that include protected 
information. CISA will not place comments containing protected 
information in the public docket and will handle them in accordance 
with applicable safeguards and restrictions on access. CISA will hold 
such

[[Page 37142]]

comments in a separate file to which the public does not have access 
and place a note in the public docket documenting receipt. If CISA 
receives a request for a copy of any comments submitted containing 
protected information, CISA will process such a request consistent with 
the Freedom of Information Act (FOIA), 5 U.S.C. 552, and the 
Department's FOIA regulation found in part 5 of title 6 of the Code of 
Federal Regulations (CFR).
    To submit a comment, go to www.regulations.gov, type CISA-2022-0010 
in the search box and click ``Search.'' Next, look for the CIRCIA 
Federal Register notice of proposed rulemaking in the Search Results 
column, and click on it. Then click on the Comment option. If you 
cannot submit your comment by using https://www.regulations.gov, call 
or email the point of contact in the FOR FURTHER INFORMATION CONTACT 
section of this document for alternate instructions.
    Viewing material in docket. For access to the docket and to view 
documents mentioned in the CIRCIA NPRM as being available in the 
docket, go to https://www.regulations.gov, search for the docket number 
provided in the previous paragraph, and then select ``Supporting & 
Related Material'' in the Document Type column. Public comments will 
also be placed in the docket and can be viewed by following 
instructions on the Frequently Asked Questions web page https://www.regulations.gov/faq. The Frequently Asked Questions page also 
explains how to subscribe for email alerts that will notify you when 
comments are posted or if another Federal Register document is 
published. CISA will review all comments received. CISA may choose to 
withhold information provided in comments from public viewing or to not 
post comments that CISA determines are off-topic or inappropriate.

Jennie M. Easterly,
Director, Cybersecurity and Infrastructure Security Agency, Department 
of Homeland Security.
[FR Doc. 2024-09505 Filed 5-3-24; 8:45 am]
BILLING CODE 9110--P