Jessica Rosenworcel, Chairwoman of the Federal Communications Commission testifies during a House Energy and Commerce Committee Subcommittee hearing on March 31, 2022 in Washington, DC. Kevin Dietsch/Getty Images

The Federal Communications Commission is claiming a space for itself in cybersecurity policymaking that Congress has already designated for the Cybersecurity and Infrastructure Security Agency under a new cyber incident reporting law, given various existing requirements at sector-specific agencies.   

“We’ll discuss how this group can work on achieving greater consistency in the reporting of cyber incidents,” FCC Chairwoman Jessica Rosenworcel said in a speech to the representatives of 30 regulatory and advisory agencies, according to a press release the commission issued Friday. “Right now, there’s a lot of fragmentation across sectors and jurisdictions in what information gets reported, when and how it is reported, and how that information can be used. So we’ll discuss using this forum as a place to work toward greater convergence on these matters.”

The forum was first convened in 2014 at the Nuclear Regulatory Commission by independent and executive-branch regulators, under a charter to “identify and explore opportunities to align, leverage and deconflict cross-sector regulatory authorities’ approaches and promote cybersecurity protection.”  

Rosenworcel relaunched it in February, asserting the need for a whole-of-government approach to cybersecurity and “to enhance communication, share lessons learned and develop a common understanding of cybersecurity activities through the sharing of best practices.” Her speech Friday highlighted regulatory efforts by Congress—passage of the incident reporting law which offers critical infrastructure companies limited liability protections in exchange for sharing reports to CISA—and the administration in a different cybersecurity landscape.

“When this body was first created in 2014, it was focused primarily on information sharing and self-regulatory approaches,” she said. “The cyber threats to our critical infrastructure have evolved since then, so this group’s mission should evolve to keep pace. Our chief objective now is to harmonize how private sector industries implement essential cybersecurity controls and how independent and executive branch regulatory agencies can ensure their work advances those efforts.”

But Rosenworcel’s first task for the forum describes a role Congress carved out in the incident-reporting law for CISA. That agency’s director, Jen Easterly, is already tasked with overseeing a rulemaking process and interagency council to hammer out agreements with sector specific agencies, such as the Department of Energy, and others that already have incident reporting requirements for how the information should be shared while avoiding a duplication of efforts by critical infrastructure entities. 

Top CISA and DHS officials participated in the forum, which was closed to the press. A CISA spokesperson said CISA Executive Director Brandon Wales "highlighted some of the ways CISA and our federal partners can work together to improve our collective defense in an evolving threat environment." CISA did not answer questions about how the agency views the FCC undertaking activities Congress directed CISA to conduct under the incident reporting law or the status of the rulemaking process at the agency. National Cyber Director Chris Inglis and Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger also participated in the FCC-led forum.

“Many have asked why it is important that we revitalize this group now,” Rosenworcel said. “To that, I would say the membership is the message.” 

Meanwhile, lawmakers with jurisdiction over the sector-specific agencies are already starting to push cabinet officials to defend their authorities in the cybersecurity space during CISA’s rulemaking process.

“We are writing to ask you to ensure that the Department of Energy maintains its existing authority as the Sector Risk Management Agency for energy sector cybersecurity,” the chair and ranking members for the relevant House and Senate committees wrote in a letter to Energy Secretary Jennifer Granholm Friday. “Without your engagement and immediate attention, we are concerned that DOE’s role in helping to ensure energy sector cyber security will be diminished.” 

The incident reporting law was promoted by Sen. Rob Portman, R-Ohio—ranking member of the Homeland Security Committee—and others, as an urgently needed measure to address the threat of Russian cyberattacks in the wake of the Kremlin’s invasion of Ukraine. But it gives CISA as long as 3.5 years to finalize rules covering crucial details. Some observers say it could take even longer—and may not even be possible—to realize its intention.

“I mean, you have a federal law that tells you to harmonize, so I anticipate the agencies are going to take that seriously and try to work something out,” Shardul Desai, a partner at the law firm Holland and Knight who formerly worked for the U.S. Attorney’s Office on cybercrime, told Nextgov. “But the focusses of the agencies and CISA are slightly different, and … I don't see how we're gonna get that harmonization. I think the only way we'll get there is if we have concessions from the agencies, which again, I don't anticipate.”

Desai said he expects negotiations between CISA and sector specific agencies will still be taking place five years from now.

NEXT STORY: Open-source Leader Advocates Strong FCC Enforcement of Routing Security

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page. Save Settings

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Help us tailor content specifically for you: