ASAE signed a joint letter this week, led by the National Association of Manufacturers (NAM), asking the Cybersecurity & Infrastructure Security Agency (CISA) to further clarify its wording in relation to the Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA).
The letter calls on CISA to distinguish between trade associations and other covered entities, such as for-profit businesses whose products and services are critical to national security.
Trade associations do not typically own assets in or operate within critical infrastructure areas. If unchanged, this regulation could impede public-private partnerships and would burden associations through undue administrative, operational and staffer costs.
What's next: CIRCIA was passed in 2022 and requires covered entities to disclose cyber incidents or ransomware payments to relevant federal agencies without delay. The onus is on these covered entities to continue to update federal agencies with new developments and preserving any data considered relevant to an investigation into such cyber threats.
CISA indicated that they will be enacting CIRCIA by 2026.
This article was provided to OSAP by ASAE's Power of Associations and Inroads.