A coalition of higher education associations led by ACE has raised significant concerns about the newly proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) reporting requirements. The associations argue that the broad inclusion of higher education institutions as “covered entities” under the proposed rule could impose undue burdens on colleges and universities.In comments sent to Jennie M. Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security, ACE President Ted Mitchell emphasized the impact the proposed rule would have on institutions with varying sizes, populations, and missions.
“We are concerned that despite the fact that we have previously not been broadly considered a ‘covered entity,’ the U.S. Department of Homeland Security and Cybersecurity and Infrastructure Security Agency failed to fully engage with the higher education community in the development of this expansive proposed rule,” Mitchell wrote.
The comments highlighted the diversity of the higher education sector, which makes a one-size-fits-all approach to cyber incident reporting particularly challenging.
“We are concerned that the proposed rule broadly includes every institution of higher education that receives Title IV student aid without consideration of size, population, or other factors,” Mitchell wrote. He further argued that the proposed rule’s lack of size limitations or distinctions, unlike those for other sectors, would result in nearly all higher education institutions being subject to the same reporting requirements.
The comments called for further distinctions to narrow the inclusion criteria for higher education institutions under CIRCIA and for more robust engagement with the higher education community.
As CISA moves forward with finalizing the rule, the higher education groups hope to collaborate closely with the agency to ensure that the unique needs and challenges of the higher education sector are adequately addressed.