Groups Urge Risk-Based Approach for Covered Entities for Cyber Incident Reporting - American Public Power Association

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) should define “covered entities” for cyber incident reporting in a risk-based manner, the American Public Power Association (APPA) and the Large Public Power Council (LPPC) said in response to a request for information (RFI) issued by CISA on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).


“While the whole electric sector is critical to national and economic security, not all electric utilities have the same risk profile,” APPA and LPPC said in their comments.


“Acknowledgement of this fact is of particular importance to public power utilities, as APPA’s and LPPC's members have widely different risk profiles ranging from an electric utility with transmission assets that serves millions of customers to a very small distribution electric utility without an industrial control system serving 200 customers,” they said.


Moreover, APPA and LPPC strongly encouraged CISA to utilize previous efforts to identify the most critical of critical systems and assets as it determines what constitutes a covered entity under the law.


APPA and LPPC believe that such a targeted definition of “covered entity” -- especially in this initial implementation period -- has the dual benefit of ensuring that entities with the highest risk profiles begin incident reporting immediately, thereby increasing national security, and keeping the number of entities covered under the law to a limited, more manageable level, allowing CISA and industry to more easily work out any implementation kinks.


APPA and LPPC also recommended that CISA tightly limit the definition of “covered cyber incident” to significant and substantial incidents that impact critical systems or services.


For example, a large electric utility that is a covered entity should have to report if it discovers an industrial control syste ..

Support the originator by clicking the read the rest link below.