CIRCIA Rulemaking Keeps Federal Cyber Reporting In Motion

The U.S. government’s long-delayed CIRCIA rulemaking is still moving toward a final federal cyber incident reporting regime for critical infrastructure operators, after CISA revived public town halls in June 2026 to refine a draft rule criticized as broad, costly, and hard to reconcile with existing sector rules. No final rule had been published as of June 18, 2026.

What Is The CIRCIA Rulemaking And Why Does It Matter For Critical Infrastructure?

The CIRCIA rulemaking is CISA’s effort to turn the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into binding reporting rules for covered critical infrastructure entities. It matters because the rule would create federal deadlines for reporting major cyber incidents and ransom payments to CISA.

Congress passed CIRCIA after a series of attacks on U.S. critical infrastructure, including the 2021 Colonial Pipeline ransomware incident. The law directed CISA to collect incident data so the federal government can warn other victims, spot attack patterns, and support response activity across sectors.

The rule is still not final. CISA published the proposed rule on April 4, 2024, extended the comment period to July 3, 2024, delayed final action past the statutory target, and reopened engagement through virtual town halls scheduled for June 15 to June 18, 2026.

What Is The CIRCIA Timeline From The 2021 Colonial Pipeline Attack To 2026 Town Halls?

The CIRCIA timeline began with growing concern after major infrastructure attacks in 2021, followed by enactment on March 15, 2022, a CISA request for information on September 12, 2022, a proposed rule on April 4, 2024, and revised public town halls on May 26, 2026.

CISA held early listening sessions and requested input before drafting the rule. The 2022 request for information asked for comments on covered entities, covered cyber incidents, report content, other reporting rules, enforcement, and privacy protections.

The proposed rule was published in the Federal Register on April 4, 2024. CISA initially set comments due on June 3, 2024, then extended the deadline to July 3, 2024 after commenters requested more time because of the rule’s complexity and sector-wide impact.

CIRCIA required CISA to issue a final rule within 18 months of the NPRM’s publication. CyberScoop reported in September 2025 that the final rule target moved to May 2026. CISA then announced town halls in February 2026, rescheduled them on May 26, 2026, and cited a DHS appropriations lapse from February 14, 2026, to April 30, 2026.

What Would CIRCIA Require Covered Entities To Report To CISA?

CIRCIA would require covered entities to report covered cyber incidents to CISA within 72 hours after they reasonably believe such an incident occurred. It would require ransom payment reports within 24 hours after payment, and supplemental reports when substantial new or different information becomes available.

CISA proposed to define a covered cyber incident as a substantial cyber incident experienced by a covered entity. The proposed rule lists 4 threshold impacts: substantial loss of confidentiality, integrity, or availability; serious impact on safety or resiliency; disruption of business or industrial operations; and unauthorized access caused through cloud, managed service, hosting, or supply-chain compromise.

The proposed rule would allow a joint report when a covered entity experiences a covered cyber incident and makes a ransom payment within the 72-hour incident-reporting window. It would use a web-based CIRCIA Incident Reporting Form as the main submission channel, with a backup method at the CISA director’s discretion.

CISA also proposed records preservation duties. Covered entities would have to preserve relevant data for at least 2 years from the latest required CIRCIA report, including threat actor communications, indicators of compromise, log entries, forensic images, network traffic, attack vector details, ransom payment records, and forensic reports.

Which Critical Infrastructure Entities Would Fall Under CIRCIA?

The proposed CIRCIA rule would apply to covered entities in the 16 U.S. critical infrastructure sectors that meet size-based or sector-specific criteria. CISA estimated 316,244 covered entities could be affected, including businesses, government entities, and organizations across healthcare, energy, finance, water, transportation, manufacturing, communications, and other sectors.

The NPRM estimated that 310,855 of the 316,244 covered entities would be small entities. It also said the proposed scope excludes many smaller organizations that do not meet size or sector-based criteria, though industry groups argued the rule still sweeps too broadly.

CISA’s sector list includes chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, government facilities, food and agriculture, healthcare and public health, information technology, nuclear reactors and materials, transportation systems, and water and wastewater systems.

What Penalties Can CISA Use For Missing A CIRCIA Report?

CISA’s proposed enforcement tools include requests for information, subpoenas, civil actions through the Attorney General, and possible acquisition penalties, suspension, or debarment where a covered entity fails to report. The proposal does not create a single public fine schedule for every missed report.

Under the NPRM, CISA may issue a request for information when it believes a covered entity failed to submit a required report. The director may issue a subpoena no earlier than 72 hours after the request for information when the entity does not provide an adequate response.

False statements create a separate legal risk. The WSJ reported that CISA said good-faith early information that later proves inaccurate would not be treated as a false statement, but knowingly false statements to the federal government can carry criminal consequences.

What Should Critical Infrastructure Organizations Do Before The CIRCIA Final Rule?

Critical infrastructure organizations should prepare now because the final rule could leave short operational timelines for 72-hour incident reporting, 24-hour ransom payment reporting, supplemental updates, and 2-year evidence preservation. Practical preparation starts with scoping, incident classification, escalation routing, and report-ready evidence collection.

Organizations should map whether they may qualify as covered entities under size-based or sector-specific criteria. Legal, security, compliance, and operations teams should define who decides when the organization has a reasonable belief that a covered cyber incident occurred.

Security teams should update incident response plans, create report templates, classify ransom-payment decision workflows, preserve logs and forensic artifacts, and test notification timelines. Procurement teams should update contracts with cloud providers, managed service providers, incident response firms, and ransom negotiators so third parties can support reporting without shifting legal responsibility away from the covered entity.

Why Did Industry Groups Push Back Against The CIRCIA Proposed Rule?

Industry groups pushed back because they said the proposed CIRCIA rule was too broad, too detailed, and too hard to reconcile with existing federal, state, and sector reporting rules. CISA said it received about 300 comments and later asked for actionable ways to reduce scope and burden.

The WSJ reported in July 2024 that companies, trade groups, and lawmakers criticized the draft as confusing and duplicative. Financial-sector groups warned that vague “substantial cyber incident” language could cause overreporting. Healthcare groups raised concerns about overlap with HIPAA and incident response pressures.

Axios reported that healthcare organizations objected to proposed report content, including descriptions of security defenses. Federal News Network reported in June 2026 that lawmakers and industry groups were still pressing CISA to narrow the rule while others urged the agency to finish it quickly.

How Much Would The CIRCIA Proposed Rule Cost Businesses And The Federal Government?

CISA estimated the proposed rule would cost $2.6 billion on an undiscounted basis over the analysis period, including $1.4 billion in industry costs and $1.2 billion in federal government costs. CISA estimated 210,525 CIRCIA reports over the same period.

The main industry cost drivers are familiarization, reporting, records preservation, help desk use, and enforcement-related work. CISA estimated a familiarization cost of $1,587.49 per covered entity and $33.58 per non-covered entity checking whether it is outside scope.

CISA estimated the average cost for a covered entity experiencing a single covered cyber incident at $4,139.60. The agency said 99.2% of 264 NAICS codes with available revenue data had a revenue impact of 1% or less.

What Government Actions Are Driving CIRCIA Toward A Final Rule?

The main government actions are CIRCIA’s statutory mandate, CISA’s 2022 request for information, the 2024 NPRM, the comment extension, the Unified Agenda delay, and the 2026 town hall notices. CISA said the meetings are meant to refine scope and burden before finalization.

CISA’s February 13, 2026 Federal Register notice said the agency wanted specific, actionable improvements to clarify or reduce regulatory burden while improving federal visibility into cyber threats affecting critical infrastructure. The notice said CISA was not reopening the comment period at that time.

The May 26, 2026 notice replaced town halls originally planned for March and April. CISA said the earlier sessions did not occur because of a DHS appropriations lapse. The revised schedule kept the same background, topics of interest, and town hall procedures.

What Questions Remain About The CIRCIA Final Rule In 2026?

The main unresolved CIRCIA questions in 2026 concern final scope, reporting thresholds, sector criteria, harmonization with other rules, privacy protections, enforcement practice, and whether CISA will narrow the size-based criterion. CISA has not published the final regulatory text as of June 18, 2026.

A major open issue is reporting overlap. Public companies face SEC cyber disclosure duties, banks have federal incident notification rules, healthcare entities face HIPAA breach duties, and many sectors already report cyber events to specialized regulators. CISA proposed a substantially similar reporting exception, but it depends on interagency agreements and reporting mechanisms.

Another open issue is legal risk. Courts may scrutinize agency interpretations more closely after recent administrative-law decisions, and industry critics have argued that unclear statutory terms could invite disputes after finalization.

Why Does CIRCIA Matter For U.S. Cybersecurity Policy?

CIRCIA matters because it would give CISA a broader federal view of cyber incidents across critical infrastructure sectors that are often targeted through ransomware, supply-chain compromise, cloud compromise, managed service providers, and zero-day exploitation. CISA said timely reports would help it analyze trends and warn other defenders.

The rule would also change cyber incident response inside regulated organizations. Legal, security, communications, operations, and executive teams would need to make faster decisions about material facts, ransom payments, third-party compromise, and evidence preservation.

The broader significance is that U.S. cyber policy is moving from voluntary reporting toward mandatory incident visibility. CIRCIA is not yet final, but it remains one of the most consequential federal cyber reporting efforts for critical infrastructure.

How Bright Defense Helps Critical Infrastructure Organizations?

Bright Defense helps critical infrastructure organizations strengthen cyber resilience through penetration testing, attack surface management, continuous compliance, security assessments, and incident response readiness services. Our work helps operators identify security gaps across IT, cloud, operational technology, third-party connections, remote access systems, and internet-facing assets that support essential operations.

For critical infrastructure providers, Bright Defense can identify exposed assets, validate security controls, assess cloud and network configurations, review third-party risk, test attack paths, evaluate incident readiness, and document remediation priorities. The resulting findings help security, compliance, and operational teams reduce cyber risk, support regulatory obligations, improve visibility into critical systems, and maintain the availability of services that communities, governments, and businesses depend on.

Sources Cited In This CIRCIA Rulemaking Report

1. Federal Register – Request For Information On The Cyber Incident Reporting For Critical Infrastructure Act Of 2022 (September 12, 2022)
   https://www.federalregister.gov/documents/2022/09/12/2022-19551/request-for-information-on-the-cyber-incident-reporting-for-critical-infrastructure-act-of-2022
2. CISA – Cyber Incident Reporting For Critical Infrastructure Act Of 2022 (CIRCIA) (Accessed June 18, 2026)
   https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia
3. Federal Register – Cyber Incident Reporting For Critical Infrastructure Act Reporting Requirements (April 4, 2024)
   https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements
4. Federal Register – CIRCIA Reporting Requirements, Extension Of Comment Period (May 6, 2024)
   https://www.federalregister.gov/documents/2024/05/06/2024-09505/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements-extension-of
5. Federal Register – CIRCIA Rulemaking Town Hall Meetings (February 13, 2026)
   https://www.federalregister.gov/documents/2026/02/13/2026-02948/cyber-incident-reporting-for-critical-infrastructure-act-circia-rulemaking-town-hall-meetings
6. Federal Register – Town Hall Meetings To Provide Input On CIRCIA Rulemaking (May 26, 2026)
   https://www.federalregister.gov/documents/2026/05/26/2026-10417/town-hall-meetings-to-provide-input-on-cyber-incident-reporting-for-critical-infrastructure-act
7. Federal News Network – CISA Revives Push Toward Long-Awaited Cyber Incident Reporting Rules (June 12, 2026)
   https://federalnewsnetwork.com/cybersecurity/2026/06/cisa-revives-push-toward-long-awaited-cyber-incident-reporting-rules/
8. CyberScoop – CISA Pushes Final Cyber Incident Reporting Rule To May 2026 (September 2025)
   https://cyberscoop.com/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026/
9. JD Supra / Perkins Coie – CISA Moves Toward Finalizing CIRCIA Reporting Requirements For Critical Infrastructure (June 16, 2026)
   https://www.jdsupra.com/legalnews/cisa-moves-toward-finalizing-circia-8680489/
10. Wall Street Journal – U.S. Publishes Draft Federal Rules For Cyber Incident Reporting (March 27, 2024)
    https://www.wsj.com/articles/u-s-publishes-draft-federal-rules-on-reporting-cyberattacks-c5c768d6
11. Wall Street Journal – Companies Sharply Criticize Draft U.S. Cyber Reporting Rules (July 11, 2024)
    https://www.wsj.com/articles/companies-sharply-criticize-draft-u-s-cyber-reporting-rules-2848dce5
12. Axios – Health Care Industry Pushes Back Against Cybersecurity Proposal (July 8, 2024)
    https://www.axios.com/2024/07/08/health-care-cyberattack-cybersecurity-cisa-pushback
13. Davis Wright Tremaine – CISA Delays Cyber Incident Reporting Rules Until May 2026 (September 2025)
    https://www.dwt.com/blogs/privacy–security-law-blog/2025/09/cisa-delays-cyber-incident-reporting-rules-2026
14. CISA – CIRCIA NPRM Overview (May 2024)
    https://www.cisa.gov/sites/default/files/2024-05/CIRCIA%20NPRM%20Overview%20May_508cL.pdf