The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law in March 2022. Nearly four years later, its implementing regulations remain in draft. The Cybersecurity and Infrastructure Security Agency (CISA) has targeted May 2026 for publication of the final rule — a deadline that has itself been delayed multiple times and that now faces further uncertainty due to a lapse in DHS appropriations that forced the cancellation of scheduled public town halls in early 2026.

Despite the delays, CIRCIA is coming. When the final rule is published, it will impose mandatory cyber incident reporting obligations on more than 300,000 entities operating across 16 critical infrastructure sectors. The 72-hour reporting clock — measured from when an entity “reasonably believes” a covered incident has occurred, not from when an investigation confirms it — will be one of the most demanding federal reporting requirements ever imposed outside of the healthcare sector.

Covered entities that are not preparing now will not have time to prepare after the final rule is published. This article explains what CIRCIA requires, who is covered, and what organizations should be doing in the period before the rule takes effect.

What CIRCIA Is

CIRCIA was enacted in March 2022 as part of the Consolidated Appropriations Act of 2022. The legislation directed CISA to develop regulations requiring covered entities to report covered cyber incidents and ransomware payments within specified timeframes, and to submit supplemental reports as additional information becomes available.

Congress’s intent was explicit: mandatory, rapid reporting from critical infrastructure operators would give CISA visibility into cyber threats that it currently lacks, enabling the agency to push defensive guidance to potential victims before an attack spreads, analyze patterns across sectors to identify systemic vulnerabilities, and share threat intelligence with federal law enforcement and the Intelligence Community.

CIRCIA does not require covered entities to take specific defensive actions in response to incidents. It requires them to report. The theory of the regulation is that centralized, mandatory reporting will produce intelligence that improves collective defense — a model borrowed from the financial sector’s mandatory suspicious activity reporting framework.

Key Requirements Under the NPRM

CISA published a Notice of Proposed Rulemaking (NPRM) in April 2024 that provides the detailed framework for what the final rule will require. The final rule may differ from the NPRM — particularly given CISA’s stated intent to streamline requirements in response to public comment — but the NPRM defines the operative terms and general structure.

Covered Entities

The rule applies to entities operating in any of the 16 critical infrastructure sectors designated under Presidential Policy Directive 21:

  1. Chemical
  2. Commercial Facilities
  3. Communications
  4. Critical Manufacturing
  5. Dams
  6. Defense Industrial Base
  7. Emergency Services
  8. Energy
  9. Financial Services
  10. Food and Agriculture
  11. Government Services and Facilities
  12. Healthcare and Public Health
  13. Information Technology
  14. Nuclear Reactors, Materials, and Waste
  15. Transportation Systems
  16. Water and Wastewater Systems

Within these sectors, the rule applies to entities that exceed the Small Business Administration’s small business size standard for their industry — a threshold designed to exempt the smallest businesses from compliance burden while capturing the entities most likely to face sophisticated attacks and most likely to have accurate, useful information to report.

CISA has estimated that more than 300,000 entities meet this coverage threshold. The covered population includes private sector companies, nonprofit organizations, and some state and local government entities.

Covered Cyber Incidents

Not every security event triggers a reporting obligation. The NPRM defines a “covered cyber incident” as one that meets a substantial cyber incident threshold — an incident that causes material loss of confidentiality, integrity, or availability of a covered entity’s information systems, substantially disrupts business or industrial operations, or impacts critical systems.

The specific threshold will be refined in the final rule. CISA received extensive public comment arguing that the NPRM’s threshold was too broad — potentially capturing minor security events that do not warrant federal reporting — and that the agency should clarify what constitutes a “substantial” incident. CISA has indicated it intends to address this feedback in the final rule.

Reporting Timelines

Covered cyber incident report: 72 hours from when the covered entity “reasonably believes” a covered cyber incident has occurred.

Ransomware payment report: 24 hours from making a ransom payment.

Supplemental report: Required when the covered entity obtains substantial new or different information after the initial report, or upon request from CISA.

The 72-hour clock is the most operationally demanding element of CIRCIA for most organizations. It starts when a company “reasonably believes” — not when investigation confirms — that a covered incident has occurred. This means the clock can start before a forensic analysis is complete, before the scope of the incident is fully understood, and before the organization knows whether the incident meets the covered threshold.

Organizations that do not have incident response procedures specifically designed for rapid external reporting — including clear internal escalation paths, pre-approved report templates, and designated personnel with authority to file reports — will struggle to meet this timeline.

Information Required in Reports

CIRCIA reports must include a specified set of information about the incident. The NPRM’s required elements include:

  • Identification of the covered entity and the covered sector
  • Description of the covered cyber incident, including the date it occurred or began and the duration
  • Description of the covered systems, networks, or devices affected
  • Description of the attacker’s unauthorized access (if known) and the tactics, techniques, and procedures used
  • Categories of data affected, including whether personal information was involved and approximate number of individuals affected
  • Contact information for the covered entity’s designated reporting point of contact

The final rule may modify these requirements. CISA received comment that some elements — particularly the description of attacker TTPs within 72 hours — are difficult to provide accurately before forensic investigation is complete. The final rule is expected to address this by clarifying what preliminary information is sufficient for the initial report and what may be provided in supplemental filings.

Protections for Reported Information

CIRCIA includes several protections for information submitted in CIRCIA reports:

  • Reports are not subject to FOIA disclosure
  • Reports are not admissible as evidence in civil litigation
  • Reports may not be used against the covered entity by federal agencies in regulatory proceedings
  • Covered entities are immune from suit based solely on submitting a CIRCIA report

These protections were deliberately designed to address the concern that mandatory reporting would deter reporting by creating litigation risk. Whether these protections are sufficient — and whether they will withstand legal challenge — remains to be seen, but their inclusion reflects Congressional recognition that requiring disclosure without liability protection would undermine the program.

Why the Final Rule Has Been Delayed

CIRCIA’s timeline from enactment to final rule has been unusually extended, even by federal regulatory standards. Several factors have contributed to the delays:

Volume and complexity of public comment. The NPRM generated an extremely large volume of public comment — over 400 formal comments — reflecting the breadth of the covered population and the complexity of the proposed requirements. CISA has acknowledged that the volume of comment required substantial time to review and incorporate.

Streamlining pressure. Industry commenters extensively argued that the NPRM’s scope was too broad, its thresholds too low, and its requirements too burdensome — particularly for smaller covered entities. CISA has committed to addressing these concerns by narrowing scope and reducing burden in the final rule, which requires additional regulatory drafting.

Harmonization challenges. CIRCIA is not the only federal cyber reporting requirement. The SEC’s 2023 cybersecurity disclosure rule, HIPAA’s breach notification requirements, TSA’s pipeline and aviation sector directives, the nuclear sector’s requirements, and various financial sector reporting obligations all exist in a partially overlapping regulatory space. Harmonizing CIRCIA reporting with existing requirements — so that a single incident does not require simultaneous reports to five different agencies in five different formats — is a significant drafting challenge.

Federal appropriations lapses. DHS appropriations lapses in early 2026 prevented CISA from holding scheduled public town halls on the CIRCIA rulemaking, which were intended to give stakeholders additional input before the rule was finalized. CISA has committed to rescheduling these town halls, but their postponement has further complicated the finalization timeline.

As of early May 2026, CISA has stated publicly that it remains committed to finalizing the rule and that it is committed to giving stakeholders another opportunity to comment through the town hall process before finalizing. Whether the final rule will actually be published in May 2026 or slip further is uncertain.

What Organizations Should Be Doing Now

The uncertain timeline does not diminish the urgency of preparation. The compliance window after the final rule is published — before its requirements become mandatory — will be months, not years. Organizations that are not prepared when the final rule drops will not have sufficient time to build preparedness from scratch.

1. Determine Whether You Are a Covered Entity

The first compliance step is understanding whether you are in scope. Work through the two-part analysis:

  • Does your organization operate in one of the 16 critical infrastructure sectors?
  • Does your organization exceed the SBA small business size standard for your industry?

If the answer to both questions is yes, you are likely a covered entity. Some organizations in multi-sector operations may need to analyze coverage sector by sector.

2. Develop a CIRCIA-Ready Incident Response Framework

Your incident response plan needs to be updated to reflect CIRCIA’s 72-hour timeline. This means:

  • Trigger criteria: Defining, in advance, what types of events will be assessed as potential “covered cyber incidents” requiring the CIRCIA clock to start
  • Internal escalation: Establishing who is responsible for making the determination that a covered incident has occurred and who has authority to file the CIRCIA report
  • Report templates: Pre-building report templates for common incident types so that the reporting team is not building reports from scratch during an active incident
  • Designated contacts: Identifying and maintaining current contact information for the individuals who will file reports and receive CISA follow-up communications

3. Establish a CISA Reporting Relationship

CISA has operated voluntary reporting mechanisms for years and has sector-specific engagement programs through its Stakeholder Engagement Division. Organizations that establish a relationship with CISA before CIRCIA’s mandatory reporting requirements take effect will be better positioned to understand the reporting portal, the process, and the contacts on the CISA side.

4. Map Your Ransomware Payment Process

The 24-hour ransomware payment reporting requirement is the most time-sensitive obligation in CIRCIA. Any organization that could find itself faced with a ransomware payment decision — which includes virtually every covered entity — needs to identify in advance: who has authority to authorize a ransom payment, what the approval process looks like, and who is responsible for ensuring the 24-hour CIRCIA report is filed.

Note that CIRCIA does not prohibit ransomware payments. It requires reporting of them. The reporting obligation applies regardless of whether the payment is made voluntarily, under duress, or through a third-party ransom negotiator.

5. Review Existing Reporting Obligations for Harmonization

If your organization already has cyber incident reporting obligations under other frameworks — SEC 8-K requirements, HIPAA breach notification, state breach notification laws, or sector-specific obligations — work through how CIRCIA reporting interacts with those existing obligations. In many cases, a single incident will require reports to multiple agencies with different timelines, different required information, and different recipient contacts. Having a unified reporting framework that addresses all applicable obligations will reduce the risk of missed deadlines.

The Broader Significance

CIRCIA represents a structural shift in the U.S. government’s approach to cyber incident reporting. For decades, federal cyber incident reporting has been voluntary for most of the private sector — with the exception of specific sectors like finance and healthcare. CIRCIA converts that voluntary framework into a mandatory one across the entire critical infrastructure economy.

The practical consequence is that CISA will, for the first time, have a structured pipeline of real-time incident data from across the 16 critical infrastructure sectors. How CISA uses that data — and how effectively it converts mandatory reports into actionable defensive guidance pushed back to the covered community — will determine whether CIRCIA achieves its legislative purpose.

For covered entities, CIRCIA is both a compliance obligation and, if the program is executed well, a potential resource. Organizations that file accurate, timely reports should receive feedback from CISA that helps them understand the threat they are facing in a broader context. Whether that feedback loop materializes will be a function of CISA’s operational capacity, which the current appropriations environment has compressed.

Conclusion

CIRCIA’s final rule is approaching, though the exact publication date remains uncertain. The 72-hour reporting requirement is operationally demanding — particularly the trigger timing, which starts from “reasonably believes” rather than confirmed determination. Organizations in the 16 critical infrastructure sectors that meet the SBA size threshold need to assess coverage, update incident response plans, and build CIRCIA-specific reporting infrastructure before the final rule takes effect.

Waiting for the final rule to begin preparation is not a viable strategy. The compliance window will be short.

This article is provided for informational purposes only and does not constitute legal advice. Organizations with specific questions about CIRCIA coverage or compliance obligations should consult qualified legal counsel with regulatory expertise.