Proposed regulations for reporting cybersecurity incidents impacting critical infrastructure go beyond what Congress intended and should be re-drafted to be less of a burden for electric cooperatives, NRECA told the Department of Homeland Security.

NRECA filed comments July 3 to the DHS Cybersecurity and Infrastructure Security Agency (CISA) calling its proposal to carry out the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) counterproductive for electric co-ops’ cyber efforts.

“NRECA supports CISA’s goal of improving the nation’s cybersecurity posture, but the agency needs to adhere to congressional intent and avoid requirements that are overly broad and will strain our cyber workforce,” said John Ransom, NRECA director for cybersecurity regulatory affairs.

NRECA asked the agency to raise its threshold for reporting a cyber incident to include only incidents that impact operations. It also asked the agency to take a risk-based approach to identifying entities rather than expanding authority over a wide number of utilities.

“Requiring all electric utilities to report incidents exceeds Congress’s intent and would create significant new costs for cooperatives and the communities they serve,” Ransom said. “Further, this proposal has the potential to increase cyber risk to cooperatives by stretching their cyber resources to focus on compliance activities rather than incident response.”

NRECA also asked CISA to ensure protection of the sensitive information provided in CIRCIA reports and avoid duplicating cyber reporting requirements from other agencies, including the Department of Energy, the Federal Energy Regulatory Commission and the North American Electric Reliability Corp.

“Electric cooperatives are dedicated cybersecurity partners and take pride in the service they provide to their communities and the nation,” said Ransom. “We encourage CISA to support, not detract, from co-ops’ strong efforts to keep the country cybersecure.”

A final rule to implement CIRCIA is due in 2025.