Last week, AMWA submitted joint comments in response to DHS Cybersecurity and Infrastructure Security Agency (CISA) on its “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements.” Pursuant to legislation approved by Congress in 2022, The rule would enable CISA to enhance cybersecurity reporting across 16 critical infrastructure sectors to aggregate data, identify trends, and track cyber threat activity.
This proposed rule outlines requirements for covered critical infrastructure entities to report “covered cyber incidents” to CISA within 72 hours, or “ransom payments” within 24 hours. The proposed rule defines covered water and wastewater systems subject to the reporting requirements as those serving over 3,300 people. However, the rule also states that, per statutory limitations, this rule is not enforceable upon “a state, local, Tribal, or territorial government entity.”
AMWA, in conjunction with AWWA, NRWA, NACWA, and WEF, commented that the rule’s reporting requirements should only apply to parties upon whom this rule is enforceable, and, as such, remove publicly owned water utilities from the definition. Further, AMWA commented that this Sector requirement should be altered to apply to systems serving 50,000 or more persons.
However, the associations highlighted how members are actively encouraged to report incidents and share information through existing avenues, including state primacy agencies and fusion centers like WaterISAC.
With the CIRCIA comment period now complete, CISA is expected to finalize the rule by the fall of 2025.