[Federal Register Volume 89, Number 107 (Monday, June 3, 2024)]
[Proposed Rules]
[Pages 47471-47472]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-12084]
�========================================================================
�Proposed Rules
� Federal Register
�________________________________________________________________________
�
�This section of the FEDERAL REGISTER contains notices to the public of
�the proposed issuance of rules and regulations. The purpose of these
�notices is to give interested persons an opportunity to participate in
�the rule making prior to the adoption of the final rules.
�
�========================================================================
�
��Federal Register / Vol. 89, No. 107 / Monday, June 3, 2024 / Proposed
Rules��
[[Page 47471]]
DEPARTMENT OF HOMELAND SECURITY
6 CFR Part 226
[Docket No. CISA-2022-0010]
RIN 1670-AA04
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
Reporting Requirements; Correction
AGENCY: Cybersecurity and Infrastructure Security Agency, DHS.
ACTION: Proposed rule; correction.
-----------------------------------------------------------------------
SUMMARY: On April 4, 2024, the Cybersecurity and Infrastructure
Security Agency (CISA) published, in the Federal Register, the Cyber
Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting
Requirements notice of proposed rulemaking (NPRM). The NPRM proposes
regulations to implement CIRCIA's covered cyber incident and ransom
payment reporting requirements for covered entities. In the section
describing covered entities, the NPRM included information and
references in the applicability criteria for transportation system
entities that were based on a proposed rule that has not yet been
published by the Transportation Security Administration (TSA). This
document clarifies and corrects the proposed applicability criteria for
pipeline facilities and systems in the sector-based criteria discussion
for transportation systems sector entities.
DATES: Comments to the NPRM published at 89 FR 23644 on April 4, 2024,
and related material must be submitted on or before July 3, 2024.
ADDRESSES: You may send comments, identified by docket number CISA-
2022-0010, through the Federal eRulemaking Portal available at https://www.regulations.gov.
Instructions: All comments received must include the docket number
for this rulemaking. All comments received will be posted to https://www.regulations.gov, including any personal information provided. If
you cannot submit your comment using https://www.regulations.gov,
contact the person in the FOR FURTHER INFORMATION CONTACT section of
this proposed rule for alternate instructions. For detailed
instructions on sending comments and additional information on the
types of comments that are of particular interest to CISA for this
proposed rulemaking, see the SUPPLEMENTARY INFORMATION section of the
proposed rulemaking document at 89 FR 23644 (Apr. 4, 2024).
Docket: For access to the docket and to read background documents
mentioned in this proposed rule and comments received, go to https://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Todd Klessman, CIRCIA Rulemaking Team
Lead, Cybersecurity and Infrastructure Security Agency,
[email protected], 202-964-6869.
SUPPLEMENTARY INFORMATION:
Background and Discussion
On April 4, 2024, CISA published a NPRM, ``Cyber Incident Reporting
for Critical Infrastructure Act Reporting Requirements,'' 89 FR 23644,
that was required by the Cyber Incident Reporting for Critical
Infrastructure Act of 2022 (CIRCIA).\1\ CIRCIA requires covered
entities to report to CISA within certain prescribed timeframes any
covered cyber incidents, ransom payments made in response to a
ransomware attack, and any substantial new or different information
discovered related to a previously submitted report.\2\ CIRCIA further
requires the Director of CISA to implement these new reporting
requirements through rulemaking. The NPRM solicits public comment on
proposed regulations that would codify these reporting requirements.
---------------------------------------------------------------------------
\1\ See 6 U.S.C. 681-681g; Public Law 117-103, as amended by
Public Law 117-263 (Dec. 23, 2022).
\2\ 6 U.S.C. 681b(a)(1)-(3).
---------------------------------------------------------------------------
In proposed 6 CFR 226.2, Applicability, CISA proposed a list of
entities that would be required to report under the proposed
regulation.\3\ Specifically, in Sec. 226.2(b)(14), CISA proposed
sector-based criteria for ``Transportation system entities'' that would
be considered covered entities.\4\ As noted in the NPRM, CISA aligned
the aforementioned sector-based criteria's description of a covered
entity to include those entities identified by TSA as requiring cyber
incident reporting and, in some cases, enhanced cybersecurity
measures.\5\ To facilitate this alignment, CISA's NPRM proposed Sec.
226.2(b)(14) that an ``entity required by the Transportation Security
Administration to report cyber incidents'' or otherwise meets one or
more criteria related to owners and operators of various non-maritime
transportation system infrastructure, such as freight railroad, public
transportation and passenger railroads (PTPR), pipeline facilities and
systems, over-the-road bus (OTRB) operations, passenger and all-cargo
aircraft, indirect air carriers, airports, and Certified Cargo
Screening Facilities, would be considered a covered entity.\6\ Each of
these proposed criteria included specific references to where these
entities are identified in TSA's current regulations.\7\ However, for
the sector-based criteria that would be applicable to pipeline
facilities or systems, the proposed criterion references a section, 49
CFR 1586.101, that TSA intends to include in TSA's forthcoming
Enhancing Surface Cyber Risk Management NPRM, which has not yet been
published in the Federal Register.\8\ Until that rule is finalized, the
section related to pipeline facilities or systems does not exist in the
CFR. Because the CIRCIA NPRM does not specifically describe which
pipeline facilities or systems that CISA proposes as covered entities
until TSA's rulemaking is finalized, CISA's intent through this notice
is to clarify and correct this point.
---------------------------------------------------------------------------
\3\ 89 FR 23768 (Apr. 4, 2024).
\4\ 89 FR 23768.
\5\ See 89 FR 23699-23701.
\6\ 89 FR 23768.
\7\ See 89 FR 23768.
\8\ See 89 FR 23768 and TSA, Fall 2023 Unified Agenda, RIN 1652-
AA74: Enhancing Surface Cyber Risk Management, https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310RIN=1652-AA74
(accessed May 14, 2024).
---------------------------------------------------------------------------
As stated in the CIRCIA NPRM, CISA's intent is to align CIRCIA
requirements applicable to aviation and surface transportation entities
with TSA's requirements to support reduction of duplication and to
avoid unintended gaps in cyber incident reporting. As such, CISA
proposed applicability criteria describing covered entities in 6 CFR
226.2(b)(14) that include entities that are currently required, or will
be required, to report
[[Page 47472]]
cyber incidents to TSA.\9\ It is for this reason that CISA specifically
proposed describing a covered entity as an ``entity [that] is required
by the Transportation Security Administration to report cyber
incidents'' in proposed 6 CFR 226.2(b)(14), so that any entities, such
as pipeline facilities or systems, that are required to currently
report cyber incidents to TSA under Security Directives would also be
considered covered entities that are required to report under CIRCIA.
---------------------------------------------------------------------------
\9\ 89 FR 23768.
---------------------------------------------------------------------------
For the surface transportation sector, TSA currently requires
reporting of cyber incidents to CISA by owner/operators of certain
freight railroads, passenger railroads, rail transit systems, and
hazardous and natural gas pipeline facilities and systems pursuant to
Security Directives issued under the authority of 49 U.S.C.
114(l)(2).\10\ Under these Security Directives, TSA notifies owner/
operators of pipeline facilities or systems directly if the
requirements in the Security Directive are applicable to them. Using a
risk-based approach, a small percentage within each mode of
transportation are required to report cybersecurity incidents, but
these entities represent a significant portion of capacity, throughput,
and ridership for each of these modes. As indicated in the CIRCIA NPRM,
and as described in this notice, CISA proposes that all such owners/
operators of pipeline facilities and systems identified by TSA and
required to report cybersecurity incidents pursuant to TSA Security
Directives are considered covered entities under 6 CFR 226.2(b)(14)
until TSA finalizes its Enhancing Surface Cyber Risk Management rule.
---------------------------------------------------------------------------
\10\ See 89 FR 23651.
---------------------------------------------------------------------------
To address the concern regarding cross-referencing a regulatory
section that does not currently exist, CISA is issuing this correction
to remove the reference to that specific regulatory section and,
instead, propose criterion to make clear that CIRCIA's description of a
covered entity for pipeline facilities or systems includes any entity
that is currently required by TSA to report cyber incidents under a
Security Directive or is otherwise identified as required to report
under TSA's final regulations. For owner/operators of pipeline
facilities or systems not currently subject to reporting requirements
under TSA's Security Directives, it is CISA's understanding, through
consultation with TSA, that TSA intends to continue using a risk-based
approach in determining entities subject to its regulations, similar to
its Security Directive approach and that applicability of cyber
incident reporting requirements beyond the existing Security Directives
will not be substantially expanded. TSA's Security Directives indicate
that approximately 100 pipeline systems are considered the most
critical.\11\ CISA acknowledges the total number of owner/operators may
slightly change consistent with an updated risk analysis developed for
purposes of TSA's proposed rule. However, CISA continues to believe the
Regulatory Impact Analysis for the CIRCIA rulemaking is an accurate
estimate insomuch that the applicability of the TSA covered entities
will continue to be approximately 115 entities.\12\
---------------------------------------------------------------------------
\11\ See TSA Security Directive Pipeline-2021-02D, at 4 n.9
(citing section 1557(b) of the Implementing Recommendations of the
9/11 Commission Act of 2007, Public Law 110-53 121 Stat. 266, 475
(codified at 6 U.S.C. 1207(b)).
\12\ See Section 2.2.14 of the Preliminary RIA, which estimates
115 pipeline entities would be affected by the proposed criteria for
pipeline facilities or systems.
---------------------------------------------------------------------------
As mentioned in the CIRCIA NPRM, CISA believes that aligning
CIRCIA's Applicability section with the population of entities from
which TSA requires cyber incident reporting or at which TSA requires
the implementation of enhanced cybersecurity measures is appropriate
for CIRCIA and consistent with the factors contained in 6 U.S.C.
681b(c)(1). CISA will continue to coordinate with TSA throughout the
rulemaking process to harmonize CIRCIA's Applicability section with
TSA, to the maximum extent practicable.
Comments on the NPRM and related material must be submitted on or
before July 3, 2024. See Cyber Incident Reporting for Critical
Infrastructure Act (CIRCIA) Reporting Requirements; Extension of
Comment Period at 89 FR 37141. DHS believes this correction does not
warrant extending the current 90-day comment period for the NPRM.
Correction
0
In FR Doc. 2024-06526, published at 89 FR 23644 in the issue of April
4, 2024, on page 23768, in the third column, in Sec. 226.2, correct
paragraph (b)(14)(iv) to read as follows:
Sec. 226.2 [Corrected]
* * * * *
(b) * * *
(14) * * *
(iv) A pipeline facility or system owner or operator required to
report cyber incidents by the Transportation Security Administration;
* * * * *
Jennie M. Easterly,
Director, Cybersecurity and Infrastructure Security Agency, Department
of Homeland Security.
[FR Doc. 2024-12084 Filed 5-30-24; 8:45 am]
BILLING CODE 9111-LF-P