CISA Advances CIRCIA Reporting Rule Toward 2026 Deadline

The U.S. Cybersecurity and Infrastructure Security Agency’s CIRCIA cyber incident reporting rule remains unfinished after more than 4 years of statutory, regulatory and industry debate, leaving critical infrastructure operators preparing for mandatory reports of covered cyber incidents within 72 hours and ransom payments within 24 hours once the final rule takes effect. CISA’s Spring 2025 regulatory agenda moved the final rule target to May 2026, while CISA later said a Department of Homeland Security funding lapse disrupted planned stakeholder town halls scheduled from March 9, 2026 through April 2, 2026. 

What Is The CIRCIA Cyber Incident Reporting Rule And Why Does It Matter Now?

The CIRCIA rule is CISA’s pending regulation to make covered critical infrastructure entities report major cyber incidents and ransom payments to the federal government. It matters now because the rule is in the final-rule stage, the statutory deadline has passed, and CISA’s current timetable points to May 2026. 

Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 after ransomware attacks and supply-chain compromises exposed gaps in federal visibility into cyber threats. The statute directed CISA to write rules for “covered entities” and “covered cyber incidents,” with mandatory reporting of ransomware payments. CISA said the reports would support victim assistance, threat analysis and warning to other potential targets. 

The proposed rule would create a national reporting channel for organizations across the 16 critical infrastructure sectors. That scope makes the rule one of the most consequential U.S. cyber compliance measures for hospitals, financial firms, energy operators, water systems, transportation entities, cloud providers and large businesses tied to infrastructure sectors. 

What Is The Full Timeline For The CIRCIA Cyber Incident Reporting Rule From 2022 To 2026?

The CIRCIA timeline began with enactment on March 15, 2022, moved through a CISA request for information on September 12, 2022, a harmonization report in 2023, a proposed rule on April 4, 2024, and a current final-rule target of May 2026. 

CISA issued its early request for information in the Federal Register on September 12, 2022, seeking public input before drafting the proposed regulation. CISA then held listening sessions with stakeholders, including sector-specific sessions tied to the critical infrastructure community. 

The Cyber Incident Reporting Council released a federal harmonization report on September 19, 2023, after reviewing 52 existing or proposed federal cyber incident reporting requirements. The report fed into CISA’s rulemaking because companies had warned that overlapping breach-reporting mandates could confuse incident teams during active crises. 

CISA published the proposed CIRCIA rule in the Federal Register on April 4, 2024, with comments first due on June 3, 2024. CISA extended the public comment period to July 3, 2024, after public requests for more time. 

The statutory deadline listed in the federal regulatory agenda was October 4, 2025, but the Spring 2025 Unified Agenda shifted the projected final rule date to May 2026. CISA later said a DHS appropriations lapse prevented planned town halls and would likely delay issuance of the final rule. 

What Does The CIRCIA Proposed Rule Require Covered Entities To Report Within 72 Hours And 24 Hours?

The proposed rule requires a covered entity to report a covered cyber incident to CISA within 72 hours after it reasonably believes the incident occurred, and to report a ransom payment within 24 hours after payment. A joint report can cover both when timing allows. 

CISA proposed 4 report types: Covered Cyber Incident Reports, Ransom Payment Reports, Joint Covered Cyber Incident and Ransom Payment Reports, and Supplemental Reports. Supplemental reports would be required when substantial new or different information becomes available, or when a ransom payment follows a previously reported covered incident. 

The proposed definition of “substantial cyber incident” covers events that cause substantial loss of confidentiality, integrity or availability; serious safety or operational resilience impacts; disruption to business or industrial operations; or unauthorized access tied to a cloud provider, managed service provider, third-party data host or supply-chain compromise. 

CISA proposed a web-based CIRCIA Incident Reporting Form as the main reporting method. The rule would permit third parties to submit reports for covered entities, but the covered entity would retain the reporting obligation. 

Which Critical Infrastructure Entities Would Fall Under The CIRCIA Cyber Incident Reporting Rule?

The CIRCIA proposed rule would apply to entities in the 16 critical infrastructure sectors that meet CISA’s covered-entity criteria, including sector-based triggers and a size-based criterion. CISA estimated that 316,244 entities would be potentially affected, including businesses, government entities and other organizations. 

CISA said the critical infrastructure sectors come from Presidential Policy Directive 21, with sector-specific plans helping organizations determine sector membership. The proposed rule names examples where coverage may be less obvious, including nursing homes, cemeteries, schools, elections infrastructure, mine tailings and navigation locks.

CISA estimated that 310,855 of the 316,244 affected entities would be small entities. The agency said 99.2% of relevant NAICS codes with available revenue data would face a revenue impact of 1% or less, though industry groups questioned whether the operational burden would be manageable during active incidents. 

How Would CISA Enforce The CIRCIA Cyber Incident Reporting Rule?

CISA’s proposed enforcement model would allow the agency to issue requests for information and subpoenas when a covered entity fails to report or provides an inadequate response. CISA said the Director could issue a subpoena after at least 72 hours from service of an RFI. 

The proposed rule states that an inadequate response can include omitted, incomplete, unclear or otherwise insufficient answers. CISA said failure to comply with mandatory Covered Cyber Incident, Ransom Payment or Supplemental Report obligations can count as an inadequate response. 

CISA’s proposed regulation lists civil enforcement of subpoenas and referral to the DHS Suspension and Debarment Official among the enforcement-related provisions. That means noncompliance could create legal and business consequences beyond the report itself, especially for government contractors and regulated infrastructure operators. 

What Should Organizations Do To Prepare For The CIRCIA Cyber Incident Reporting Rule?

Organizations should prepare for CIRCIA through incident classification, evidence retention, ransom-payment governance, legal review and reporting workflow tests before the final rule arrives. The most practical step is to map existing incident response procedures to CISA’s 72-hour, 24-hour and supplemental-report triggers. 

A covered organization should maintain an incident decision tree that separates reportable covered cyber incidents from non-reportable events. The rule’s proposed impact thresholds should be reflected in severity ratings, escalation rules and legal signoff procedures.

A ransom-payment workflow should define who can approve payment, who must notify counsel, who contacts insurers, and who prepares the CISA report. Third-party incident responders, managed service providers and cloud providers should have contract language that supports fast information transfer.

CISA proposed a 2-year preservation period for data and records related to reported covered incidents and ransom payments. The proposed record categories include threat-actor communications, indicators of compromise, log entries, memory captures, forensic images, network traffic, attack-vector information, system information, exfiltrated-data details, ransom-payment records and forensic reports. 

Why Did Industry Groups Push Back On The CIRCIA Proposed Rule?

Industry groups pushed back because they said the CIRCIA proposal was too broad, risked duplicating existing cyber rules and could pull responders away from containment during a crisis. Health care, financial services, retail and other sectors raised concerns about scope, penalties, definitions and timing. 

The American Hospital Association said in July 2024 that it had concerns about penalties it described as “vague and potentially severe,” and urged CISA to revise the proposal to encourage collaboration rather than punishment. The AHA said it represented nearly 5,000 hospitals, health systems and health care organizations. 

Financial-sector groups urged CISA to revise the proposal, saying the rule should better match congressional intent and support effective incident response. The Bank Policy Institute and other trade groups argued that definitions and timing should reduce conflicting duties across federal regimes. 

What Did Congress And Federal Regulators Do After CISA Published The CIRCIA Proposal?

Congress and federal regulators continued to scrutinize the CIRCIA proposal after publication, with lawmakers focusing on overlap across federal cyber reporting rules. A House hearing on March 11, 2025 criticized the draft rule’s breadth and the wider federal reporting patchwork. 

The House Homeland Security Committee framed the 2025 hearing around the opportunity to improve and harmonize the cyber regulatory regime. According to Wall Street Journal reporting, lawmakers and witnesses said companies in power, financial services and technology faced conflicting mandates that could complicate incident response.

The broader federal backdrop includes CIRCIA’s Cyber Incident Reporting Council, which reviewed 52 federal cyber incident reporting requirements in 2023. That finding became central to industry arguments that CISA should avoid adding another disconnected reporting burden. 

What Will The CIRCIA Rule Cost Critical Infrastructure Organizations And The Federal Government?

CISA estimated the proposed CIRCIA rule would cost $2.6 billion undiscounted over the analysis period, including $1.4 billion in industry costs and $1.2 billion in federal government costs. The agency estimated annualized costs of $244.6 million at a 2% discount rate. 

The main industry cost drivers are rule familiarization, data and records preservation, and reporting. CISA estimated 210,525 CIRCIA reports over the analysis period, based on 316,244 covered entities. 

CISA estimated an average cost of $33.58 per non-covered entity and $4,139.60 per covered entity experiencing a single covered cyber incident. The agency said the private-sector mandate would exceed $177 million in some years, mainly because of final-rule familiarization costs. 

What Open Questions Remain Before CISA Finalizes The CIRCIA Rule In 2026?

The main open questions are when CISA will publish the final rule, how much it will narrow the covered-entity definition, how it will treat overlapping federal reports, and whether delayed town halls will change the final text. CISA’s most recent public update points to more stakeholder input before finalization. 

CISA said on April 24, 2026, that it remained committed to giving stakeholders another opportunity to comment through town halls before the rule is finalized. That statement followed the postponed March 9, 2026 through April 2, 2026 town hall series. 

The final rule could alter definitions, reporting content, preservation duties, exceptions for substantially similar reports, and enforcement procedures. Organizations should treat the proposed rule as the planning baseline, not the final legal text.

How Bright Defense Helps Critical Infrastructure Teams Prepare For The CIRCIA Cyber Incident Reporting Rule?

Bright Defense helps critical infrastructure organizations prepare for the CIRCIA rule through Penetration Testing, Continuous Compliance and Security Assessments that test incident readiness before mandatory reporting begins. These services help teams find control gaps, validate logging and evidence retention, and prepare reportable-incident workflows tied to CISA’s proposed deadlines.

Penetration Testing can show whether exposed systems, misconfigurations or access-control weaknesses could lead to reportable operational disruption.

Continuous Compliance can track control status, evidence collection and policy readiness against CIRCIA-adjacent requirements. Security Assessments can review incident response plans, ransom-payment escalation paths, third-party dependencies and record-preservation procedures before the final rule is published.

Sources 

1. Federal Register — Cyber Incident Reporting For Critical Infrastructure Act Reporting Requirements (April 4, 2024) https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements (Federal Register)
2. Federal Register — CIRCIA Reporting Requirements Extension Of Comment Period (May 6, 2024) https://www.federalregister.gov/documents/2024/05/06/2024-09505/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements-extension-of (Federal Register)
3. Reginfo.gov — Cyber Incident Reporting For Critical Infrastructure Act Reporting Requirements, RIN 1670-AA04 (Spring 2025) https://www.reginfo.gov/public/do/eAgendaViewRule?RIN=1670-AA04&pubId=202504 (RegInfo.gov)
4. CISA — Cyber Incident Reporting For Critical Infrastructure Act Of 2022 CIRCIA (April 24, 2026 update) https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia (CISA)
5. Federal News Network — CISA Delays Cyber Incident Reporting Town Halls Due To Shutdown (March 9, 2026) https://federalnewsnetwork.com/cybersecurity/2026/03/cisa-delays-cyber-incident-reporting-town-halls-due-to-shutdown/ (Federal News Network)
6. CyberScoop — CISA Pushes Final Cyber Incident Reporting Rule To May 2026 (September 2025) https://cyberscoop.com/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026/ (CyberScoop)
7. DHS — Harmonization Of Cyber Incident Reporting To The Federal Government (September 19, 2023) https://www.dhs.gov/publication/harmonization-cyber-incident-reporting-federal-government (dhs.gov)
8. Wall Street Journal — U.S. Publishes Draft Federal Rules For Cyber Incident Reporting (2024) https://www.wsj.com/articles/u-s-publishes-draft-federal-rules-for-cyber-incident-reporting-c5c768d6 (The Wall Street Journal)
9. Wall Street Journal — Companies Sharply Criticize Draft U.S. Cyber Reporting Rules (2024) https://www.wsj.com/articles/companies-sharply-criticize-draft-u-s-cyber-reporting-rules-2848dce5 (The Wall Street Journal)
10. Wall Street Journal — Cyber Reporting Rules Savaged In House Hearing (March 2025) https://www.wsj.com/articles/cyber-reporting-rules-savaged-in-house-hearing-fdb3e39b (The Wall Street Journal)
11. Bloomberg Law — Shutdown Stalls Compliance Plans For Cyber Breach Reporting Rule (March 2026) https://news.bloomberglaw.com/privacy-and-data-security/shutdown-stalls-compliance-plans-for-cyber-breach-reporting-rule (Bloomberg Law)
12. American Hospital Association — AHA Comments On CIRCIA’s Cyber Incident Reporting Requirements (July 2, 2024) https://www.aha.org/news/headline/2024-07-02-aha-comments-circias-cyber-incident-reporting-requirements (American Hospital Association)