This post first appeared on Next Gov. Read the original article.
The commission is joining the fray in a budding turf fight at the Cybersecurity and Infrastructure Security Agency that also involves sector risk management agencies like the Department of Energy.
The Federal Communications Commission is claiming a space for itself in cybersecurity policymaking that Congress has already designated for the Cybersecurity and Infrastructure Security Agency under a new cyber incident reporting law, given various existing requirements at sector-specific agencies.
“We’ll discuss how this group can work on achieving greater consistency in the reporting of cyber incidents,” FCC Chairwoman Jessica Rosenworcel said in a speech to the representatives of 30 regulatory and advisory agencies, according to a press release the commission issued Friday. “Right now, there’s a lot of fragmentation across sectors and jurisdictions in what information gets reported, when and how it is reported, and how that information can be used. So we’ll discuss using this forum as a place to work toward greater convergence on these matters.”
The forum was first convened in 2014 at the Nuclear Regulatory Commission by independent and executive-branch regulators, under a charter to “identify and explore opportunities to align, leverage and deconflict cross-sector regulatory authorities’ approaches and promote cybersecurity protection.”
Rosenworcel relaunched it in February, asserting the need for a whole-of-government approach to cybersecurity and “to enhance communication, share lessons learned and develop a common understanding of cybersecurity activities through the sharing of best practices.” Her speech Friday highlighted regulatory efforts by Congress—passage of the incident reporting law which offers critical infrastructure companies limited liability protections in exchange for sharing reports to CISA—and the administration in a different cybersecurity landscape.
“When this body was first created in 2014, it was focused primarily on information sharing and self-regulatory approaches,” she said. “The cyber threats to our critical infrastructure have evolved since then, so this group’s mission should evolve to keep pace. Our chief objective now is to harmonize how private sector industries implement essential cybersecurity controls and how independent and executive branch regulatory agencies can ensure their work advances those efforts.”
But Rosenworcel’s first task for the forum describes a role Congress carved out in the incident-reporting law for CISA. That agency’s director, Jen Easterly, is already tasked with overseeing a rulemaking process and interagency council to hammer out agreements with sector specific agencies, such as the Department of Energy, and others that already have incident reporting requirements for how the information should be shared while avoiding a duplication of efforts by critical infrastructure entities.
Top CISA and DHS officials participated in the forum, which was closed to the press. A CISA spokesperson said CISA Executive Director Brandon Wales “highlighted some of the ways CISA and our federal partners can work together to improve our collective defense in an evolving threat environment.” CISA did not answer questions about how the agency views the FCC undertaking activities Congress directed CISA to conduct under the incident reporting law or the status of the rulemaking process at the agency. National Cyber Director Chris Inglis and Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger also participated in the FCC-led forum.
“Many have asked why it is important that we revitalize this group now,” Rosenworcel said. “To that, I would say the membership is the message.”
Meanwhile, lawmakers with jurisdiction over the sector-specific agencies are already starting to push cabinet officials to defend their authorities in the cybersecurity space during CISA’s rulemaking process.