NFFS opposes CIRCIA cybersecurity requirements for trade associations

On June 17, 2024, NFFS joined a sign-on letter with the Council of Manufacturing Associations and the National Association of Manufacturers. This letter expressed concerns about proposed regulations requiring NFFS and other industry trade associations to comply with the Cybersecurity Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which mandates that critical infrastructure entities report cyber incidents to the Department of Homeland Security (DHS).

The letter seeks clarification that trade associations, like NFFS, representing critical infrastructure industries such as primary metals and non-ferrous foundries, should not be considered critical infrastructure themselves. Even though these associations represent companies that own and operate critical infrastructure, they do not manage or control these assets directly. Trade associations argue that their main role is to support and advocate for their members, not to oversee critical infrastructure. Subjecting them to CIRCIA's reporting requirements would place unnecessary administrative burdens on them without significantly improving cybersecurity.

Additionally, the broad definition of "covered entity" in the proposed rule could unintentionally include trade associations, which were not meant to be covered by these regulations. This could hinder their ability to represent their members effectively and participate in important public-private cybersecurity partnerships.