Communications Litigation Today was a Warren News publication.

State Election Officials Ask CISA to Make Cyber Rules Voluntary

The Cybersecurity and Infrastructure Security Agency should consider allowing state and local governments to voluntarily comply with new rules under a 2022 cyber incident reporting law, the National Association of Secretaries of State told CISA in comments due last week. CISA is finalizing rules for the Cyber Incident Reporting for Critical Infrastructure Act, with requirements for critical infrastructure owners and operators (see 2203160051). The agency posted comments through Thursday. NASS membership includes top state election officials from 40 states and territories, including Alabama, California, Colorado, Florida and New York. Its comments note that state and local election officials share cyber information with CISA on a "well-functioning,” voluntary basis. Industry groups asked CISA in the past for narrow rules and to avoid overly burdensome reporting requirements for companies (see 2211290071). NASS is “concerned” the proposed rules may “disincentivize” state and local officials from participating in their “well-functioning voluntary partnership.” It continued, “CISA should prioritize continuing to maintain this voluntary partnership over imposing requirements on SLTT government entities.” The proposed rules are “overly broad and would strain the resources of SLTT government entities during a critical time for cyber incident response.” The incident reports would require hours or staff time, which is “challenging for state government entities and potentially impossible for many small local jurisdictions,” NASS said.