The National Cyber Incident Response Plan (NCIRP) should promote a streamlined, non-duplicative framework for credit unions, America’s Credit Unions wrote to the Cybersecurity Infrastructure Security Agency (CISA) Friday. CISA issued a request for comment on the NCIRP, required by legislation that mandates a cyber incident reporting framework for critical infrastructure owners.

The NCUA implemented a cyber incident notification standard in anticipation of CISA’s rulemaking, requiring credit unions to report incidents to the agency within 72 hours. The NCUA’s rule aligns with CIRCIA’s definition of a "substantial" incident.

“America’s Credit Unions supports timely and accurate cyber incident reporting but urges CISA to recognize the existing reporting frameworks for credit unions and collaborate with the NCUA to implement the substantially similar reporting exception,” the letter reads. “This will reduce the administrative burden on credit unions and allow them to focus resources on mitigation and response efforts rather than on redundant compliance tasks.

“We recommend the NCIRP recognize the value of streamlined cyber incident reporting and promote interagency agreement between the NCUA and CISA to avoid duplication of effort.”