The Cybersecurity and Infrastructure Security Agency has been urged by the U.S. Chamber of Commerce and over 20 industry groups to implement a 30-day extension to the two-month feedback period for its draft rule under the Cyber Incident Reporting for Critical Infrastructure Act, which would require cyber incident and ransomware disclosures within a 72- and 24-hour period, respectively, reports The Record, a news site by cybersecurity firm Recorded Future.
Deferring the comment period "will allow organizations to thoroughly evaluate the proposed requirements, identify potential challenges, and propose effective solutions that prioritize both security and operational continuity," said the groups in a letter to CIRCIA Rulemaking Team Lead Todd Klessman.
Cybersecurity Coalition Coordinator Ari Schhwartz, one of the letter's signatories, emphasized that the additional time is meant to advance discussions regarding covered entity definitions and certain penalties and not defer the issuance of the final rule. However, such a plea has been shut down by CISA, which noted that the current feedback period is already sufficient.