On July 3, ABC submitted comments in response to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency proposed rule on Cyber Incident Reporting for Critical Infrastructure Act Reporting Requirements. The rule imposes new cyberincident and ransom payment reporting requirements for companies deemed to have responsibility for critical infrastructure.

Specifically, entities potentially covered by the rule fall under any of 16 critical infrastructure sectors. Many construction contractors are likely to be covered by the proposed rule. The proposal would require that these covered entities report any substantial cyberincident within 72 hours, and any ransom payments made in response to a ransomware attack within 24 hours.

ABC’s comments, while recognizing the government’s vital need to protect critical infrastructure from cybersecurity threats, urged CISA to improve the rule by addressing key concerns including:

• Overly broad definitions of covered entities and incidents
• Unnecessarily costly recordkeeping requirements
• Excessively punitive approach to enforcement of reporting requirements

More information on the rule is available on CISA’s website and ABC’s previous Newsline article.

ABC has provided resources and webinars on new cybersecurity requirements affecting the construction industry at abc.org/cybersecurity.