Via Electronic Mail

The Honorable Kristi Noem
Secretary
U.S. Department of Homeland Security
Washington, DC 20528

The Honorable Russell T. Vought
Director
U.S. Office of Management & Budget
725 17th Street, NW
Washington, DC 20503

Dear Secretary Noem & Director Vought,

On behalf of the American Bankers Association,¹ Bank Policy Institute,² Institute of International Bankers,³ and the Securities Industry and Financial Markets Association,⁴ we request that you rescind and reissue the Cybersecurity and Infrastructure Security Agency’s (“CISA”) proposed rule⁵ to implement the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”)⁶ in accordance with Executive Order 14219⁷ and the Regulatory Freeze Pending Review Memorandum.⁸ We believe the proposed rule will have significant and detrimental repercussions if not substantially revised. As such, we ask that you work with industry to craft a new rule that allows a victim company to focus its resources on responding to an attack rather than filing government reports.

CIRCIA was enacted by Congress in March 2022 and tasked CISA with implementing many of the law’s key requirements. In accordance with that mandate, CISA published a notice of proposed rulemaking (“NPRM”) in April 2024.⁹ Among other things, that proposal included definitions for key terms, the content of incident reports, and thresholds for reporting.

We supported CIRCIA as it was being considered by Congress because it sought to establish a uniform incident reporting standard across all critical infrastructure sectors and provide CISA with the information necessary to better defend against attacks. Unfortunately, CISA’s NPRM envisions a wide-ranging incident reporting regime that meaningfully departs from Congressional intent and would divert the attention of cyber first responders away from the critical tasks of response and recovery.¹⁰ This includes expansive thresholds for reporting that would capture de minimis outages to non-critical services and extensive data elements that, as currently drafted, will consume the finite time of critical personnel. It is therefore vital that CISA rescind its April 2024 NPRM and issue a new proposed rule that is not only more consistent with Congressional intent, but will also achieve CIRCIA’s central purpose to “enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.”11

The view that CISA’s proposal is misguided is not limited to the private sector. In fact, many Congressional leaders who drafted CIRCIA and play a key role in the oversight of CISA, said the NPRM exceeds their intent. For example, Representative Andrew Garbarino noted that while Congress intended to facilitate rapid information sharing by limiting industry reporting requirements to only the most critical information, “the NPRM ignores the burden to industry by asserting that technology will process the amount of information it requests.”¹¹ In general, Garbarino said the proposal would “undoubtedly skyrocket[] compliance work and clashes with congressional intent.”¹² Representatives Bennie Thompson, Yvette Clarke, and Eric Swalwell likewise expressed their concern that “the NPRM appears to, at times, mischaracterize or dismiss Congressional intent.”¹³ Senator Gary Peters noted similar reservations saying, “it is very important that the regulation is well-crafted and reflects both Congressional intent and the public’s recommendations. As currently, written, I have concerns that the effect of this proposed rule fails to hit this mark.”¹⁴

On the substance of CISA’s NPRM, members of Congress also documented many of the same objections as the private sector. Representatives Thompson, Clarke, and Swalwell again observed that “some of the information required in incident reports goes beyond what is required by the statute.”¹³ CIRCIA expressly sought to limit duplicative reporting by exempting covered entities from CIRCIA requirements if they already report “substantially similar” information to another Federal agency. Recognizing how the expansive data elements may nullify the exemption, Representative Garbarino encouraged CISA to “provide greater flexibility for making CIRCIA’s ‘substantially similar’ exception available to covered entities.”¹⁵ Finally, Senator Peters indicated that CISA’s “overbroad definitions could lead to overreporting and overburdening of critical infrastructure owners and operators.”¹⁶

If appropriately calibrated, CIRCIA could significantly improve how critical infrastructure entities and the U.S. government defend against pervasive threats from hostile nation states. As we move toward CIRCIA’s October 2025 statutory deadline for issuing a final rule, we would welcome an ongoing dialogue with you to strike the balance Congress intended “between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”¹⁷

Sincerely,

/s/ John W. Carlson
John W. Carlson
Senior Vice President, Cybersecurity Regulation & Resilience
American Bankers Association

/s/ Heather Hogsett
Heather Hogsett
Senior Vice President, Deputy Head of BITS
Bank Policy Institute

/s/ Michelle Meertens
Michelle Meertens
Deputy General Counsel
Institute of International Bankers

/s/ Melissa MacGregor
Melissa MacGregor
Deputy General Counsel & Corporate Secretary
Securities Industry and Financial Markets Association

1. The American Bankers Association is the voice of the nation’s $24.1 trillion banking industry, which is composed ofsmall, regional and large banks that together employ approximately 2.1 million people, safeguard $19.2 trillion in deposits and extend $12.7 trillion in loans. [↩]
2. The Bank Policy Institute is a nonpartisan public policy, research, and advocacy group that represents universal banks, regional banks, and the major foreign banks doing business in the United States. The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues. Business, Innovation, Technology and Security (“BITS”), BPI’s technology policy division, provides an executive-level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the financial sector. [↩]
3. The IIB represents the U.S. operations of internationally headquartered financial institutions from more than 35 countries around the world. The membership consists principally of international banks that operate branches, agencies, bank subsidiaries, and broker-dealer subsidiaries in the United States. The IIB works to ensure a level playing field for these institutions, which are an important source of credit for U.S. borrowers and comprise the majority of U.S. primary dealers. These institutions also enhance the depth and liquidity of U.S. financial markets and contribute significantly to the U.S. economy through direct employment of U.S. citizens, as well as through other operating and capital expenditures. [↩]
4. SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation, and business policy affecting retail and institutional investors, equity and fixed income markets, and
   related products and services. We serve as an industry-coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (“GFMA”). [↩]
5. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, 89 Fed. Reg. 23644 (Apr.4, 2024). [↩]
6. 6 U.S.C. § 681 [↩]
7. Executive Order No. 14,219, Ensuring Lawful Governance and Implementing the President’s “Department of Government Efficiency” Deregulatory Initiative, 90 Fed. Reg. 10583 (Feb. 25, 2025). [↩]
8. EXEC. OFFICE OF THE PRESIDENT, REGULATORY FREEZE PENDING REVIEW: MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS
   AND AGENCIES, 90 Fed. Reg. 8249 (Jan. 28, 2025). [↩]
9. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, 89 Fed. Reg. 23644 (Apr. 4, 2024). [↩]
10. See American Bankers Assoc., Bank Policy Institute, Institute of Int. Bankers, & Sec. Industry & Financial Markets
    Assoc., Comment Letter on Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements
    (Jun. 28, 2024), https://bpi.com/wp-content/uploads/2024/06/CIRCIA-Reporting-Requirements-CommentLetter.pdf. [↩]
11. Representative Andrew Garbarino, Comment Letter on Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements (Jul. 3, 2024). [↩]
12. Id. [↩]
13. Representatives Bennie G. Thompson, Yvette D. Clarke, & Eric M. Swalwell, Comment Letter on Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements (Jul. 3, 2024). [↩] [↩]
14. Senator Gary Peters, Comment Letter on Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
    Reporting Requirements (Jul. 2, 2024). [↩]
15. Representative Andrew Garbarino, Comment Letter on Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements (Jul. 3, 2024). [↩]
16. Senator Gary Peters, Comment Letter on Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements (Jul. 2, 2024). [↩]
17. Press Release, U.S. Sen. Homeland Sec. Comm., Peters & Portman Landmark Provision Requiring Critical Infrastructure to Report Cyber-Attacks Signed into Law as Part of the Funding Bill (Mar. 15, 2022), https://www.hsgac.senate.gov/media/dems/peters-and-portman-landmark-provision-requiring-criticalinfrastructureto-report-cyber-attacks-signed-into-law-as-part-of-funding-bill/. [↩]