Nothing exceeds like excess on today’s regulatory front.  If one rule is good, two or three must be better.  So it seems with an Advanced Notice of Proposed Rulemaking (ANPR) issued by CISA last week that would create yet another cyber incident reporting requirement for contractors.  The 447-page ANPR covers both private sector entities and government contractors and is designed to implement requirements of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).  This specific rule would require more detailed technical disclosure information than other existing requirements.  As such, while CISA officials state that they want to “harmonize” reporting requirements among multiple platforms, their ability to do so may be limited as each set of reporting requirements has slightly different criteria.  Similarly, while CISA has been urged by some to keep reporting requirements narrow, the agency insists that it needs broader mandates to collect enough information to satisfy the requirements of the underlying law.  The law requires critical infrastructure organizations, including federal IT contractors, to report ransomware payments to CISA within 24 hours and “covered cyber incidents” to the agency within 72 hours.  While Allen Federal has lost track of all the cyber reporting rules either in place or in process of finalization, we’ve counted at least two CISA reporting requirements, one for the FBI, one to the SEC for publicly traded companies, and quite likely individual contract-level reporting requirements to agency contracting officers and/or program officials.  That is enough reporting to make Clark Kent want to change his cover.  The actual proposed rule is scheduled for release April 4^th and will have a 60-day comment period.  Government contractors should definitely comment on the proposed rule and may want to emphasize that the duplicative nature of similar rules comes at real cost of compliance, a cost that is inevitably passed on to government agencies.  It is enough to make people want to go back to hard copies and bicycle couriers.