Business groups press CISA to narrow CIRCIA scope

Inside Cybersecurity reports that the U.S. Chamber of Commerce and Business Roundtable used CISA’s June 15 town hall to put the agency’s CIRCIA scoping problem in plain terms. The Chamber’s Matthew Eggers said the proposed definition of “covered entity” is too broad, relying on size and sector-based criteria in a way that could sweep in more than 316,000 entities. The number matters because the NPRM estimates roughly 98 percent of those covered entities would be small businesses, all staring at 72-hour incident reporting and 24-hour ransom-payment notification duties.

Business Roundtable’s Amy Shuart pushed the alternative CISA now has to accept or reject: drop the size-based criterion and tie coverage to systemic risk, direct provisioning of a national critical function, and objective impact. That approach would matter for diversified companies, including contractors with one unit tied to critical infrastructure and another with no operational connection to it. In that model, an incident in the ordinary unit would not become a CIRCIA report just because the parent company is large or sector-adjacent. Shuart also urged CISA to limit service-provider reporting to impacts on their own systems and to give companies at least 72 hours to file supplemental reports for material developments.

CISA has invited additional written feedback within seven days of each town hall, so this is still a rulemaking record rather than a final fight. But the record is being built in a particular direction. Industry is conceding the premise of incident reporting while attacking CISA’s proxy for who belongs in the regime. If CISA keeps broad size-based scoping, it will have to defend the national-security value of reports from noncritical business units already subject to state, federal and international rules. That is where the overreach argument gets cleanest.