The most consequential cybersecurity regulation in the United States has a new expected arrival date — again. According to the latest Unified Agenda of Federal Regulatory and Deregulatory Actions, published on reginfo.gov and reported by Nextgov/FCW this week, CISA now expects to finalize the rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in September 2026. Once effective, the rule will require covered entities across all 16 critical infrastructure sectors to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours.
Readers of this site have watched this date move before. Congress set a statutory deadline of October 2025 — eighteen months after the April 2024 proposed rule. CISA missed it, announcing in September 2025 that the final rule would arrive in May 2026, which is where matters stood when we published our February 2026 deep-dive on the CIRCIA framework and our May 2026 operator briefing, which flagged that a lapse in DHS appropriations had already made the May target doubtful. May came and went. September 2026 is the new date.
This article is the update: why the timeline slipped, what CISA has signaled will change in the final rule, and — most importantly — what the September date means practically for the organizations that will have to live under it. Because the one thing that will not change is the pair of deadlines at the rule’s core. The 72-hour and 24-hour clocks are written into the statute itself; no amount of rulemaking can soften them. The final rule decides who they apply to and how they run, not whether they exist.
Why September: The Anatomy of a Two-Year Slip
CIRCIA became law on March 15, 2022, as Division Y of the Consolidated Appropriations Act, codified at 6 U.S.C. § 681 et seq. The statute gave CISA 24 months to issue a notice of proposed rulemaking and 18 months after that to finalize. CISA hit the first deadline — the NPRM published April 4, 2024 (89 Fed. Reg. 23644), proposing a new 6 CFR Part 226 — and then the schedule came apart. The verifiable reasons, in rough order of weight:
1. The comment record was brutal on scope. CISA estimated the proposed rule would cover 316,244 entities — a figure industry commenters, and a number of lawmakers, attacked as wildly over-inclusive, with thresholds too low and requirements too burdensome for smaller covered entities. CISA has publicly committed to addressing this by narrowing scope and reducing burden in the final rule, and by deconflicting CIRCIA with the existing patchwork of federal incident reporting regimes. Rewriting the covered-entity architecture of a rule this size is slow work, and it is the substantive reason the October 2025 statutory deadline was missed and May 2026 was announced in its place.
2. The DHS funding lapse froze stakeholder engagement. In February 2026, CISA announced a series of seven virtual town halls (Federal Register notice of February 13, 2026) to take final input on exactly the contested questions: the scope of covered entities, size-based and sector-based criteria, treatment of cloud and managed service providers, the definitions of covered incidents and ransom payments, harmonization with other requirements, and credit for substantially similar reports filed elsewhere. Those sessions — originally scheduled for March 9 through April 2, 2026 — were postponed by the partial government shutdown and DHS appropriations lapse this spring, and were ultimately held in June 2026. That freeze, now resolved, is the proximate cause of the May-to-September slip.
3. The deregulatory review environment. The rule is being finalized under an administration whose 2026 cyber strategy emphasizes regulatory streamlining and harmonization over new mandates. CIRCIA itself survives — it is a statutory command, not a discretionary initiative — but every design choice in the final rule is being made under pressure to justify burden, which favors a narrower, slower rule over a broader, faster one.
Two pieces of context make September plausible rather than aspirational. First, the town halls — the last open procedural step — are done. Second, the same Unified Agenda projects two related federal contracting cybersecurity rules for September 2026 as well, alongside a DoD interim final rule this month moving CMMC to NIST SP 800-171 Revision 3: the fall of 2026 is shaping up as a coordinated landing window for federal cyber regulation. It is also worth noting the awkward companion deadline: the information-sharing liability protections of the Cybersecurity Information Sharing Act of 2015, which underpin much voluntary reporting to CISA, are currently extended only through September 30, 2026. The voluntary regime’s legal foundation and the mandatory regime’s birth are converging on the same month.
What CIRCIA Requires: The Parts That Cannot Change
Whatever the final rule narrows, the statutory skeleton at 6 U.S.C. § 681b is fixed, and the April 2024 NPRM tells us how CISA intends to operationalize it. Organizations should plan against this structure now.
The 72-hour covered incident clock
A covered entity must report a covered cyber incident to CISA no later than 72 hours after the entity reasonably believes the incident occurred. Note the trigger with care: not confirmation, not forensic certainty, not completed impact analysis — reasonable belief. As proposed, a “substantial cyber incident” is one that leads to any of:
- Substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
- Serious impact on the safety and resiliency of operational systems and processes;
- Disruption of the ability to engage in business or industrial operations, or to deliver goods or services;
- Unauthorized access enabled by a third-party compromise — a supply chain breach, or the compromise of a cloud service provider or managed service provider the entity relies on.
That fourth prong deserves emphasis after the year the country has had. Under the proposed framework, victims of mass third-party exploitation events — the Oracle PeopleSoft zero-day wave is the obvious current example — would owe CISA a report for unauthorized access arriving through the vendor’s door, not just their own.
The 24-hour ransom payment clock
A covered entity that makes a ransom payment — or has one made on its behalf, including by an insurer or negotiator — must report it to CISA within 24 hours of the payment being made. This applies even if the underlying ransomware attack would not itself qualify as a covered cyber incident. If a payment is made within the 72-hour incident window, the proposed rule allows a single joint report. The required content is uncomfortable and specific: payment amount and currency, payment instructions and wallet addresses, the ransom demand, and identifying details of the transaction — the data CISA and the FBI want while the money is still moving.
Supplemental reports and the long tail
Reporting is not one-and-done. As proposed, covered entities must promptly file supplemental reports when substantial new or different information becomes available — revised scope, new attribution, a ransom payment made after the initial report — and the duty continues until the entity notifies CISA that the incident is concluded and fully mitigated and resolved. For a serious intrusion, that is a reporting relationship measured in months.
Data preservation
The proposed rule requires covered entities to preserve all data and records relevant to a covered incident or ransom payment for no less than two years from the submission of the most recent required report — in original form, protected by reasonable safeguards against deletion, alteration, and unauthorized access. Forensic images, logs, ransom notes, communications with the threat actor, payment records: all of it. Organizations whose log retention defaults to 30 or 90 days have an evidence-handling problem to solve before their first report, not after.
Enforcement: no fine schedule, but real teeth
CIRCIA’s enforcement design (6 U.S.C. § 681d) is often misread because it contains no headline civil penalty for a missed report. The actual mechanism is escalatory: if CISA believes a covered entity failed to report, it may issue a request for information; if the response is inadequate, an administrative subpoena; if the subpoena is ignored, a referral to the Attorney General for a civil enforcement action in federal district court, where non-compliance risks contempt. Two sharper edges sit alongside that ladder. Information obtained via subpoena that reveals grounds for it can be referred for criminal prosecution — unlike voluntarily reported information, which carries statutory protections. And any knowing and willful materially false or fraudulent statement in a CIRCIA report, RFI response, or subpoena reply is a federal crime under 18 U.S.C. § 1001. For federal contractors, the proposed rule adds suspension and debarment exposure. The compliance risk, in other words, is less a fine and more the sequence: missed report, subpoena, litigation, and personal criminal exposure for whoever signs a report that shades the truth.
The statute balances this with protections for those who report properly (6 U.S.C. § 681e): CIRCIA reports are exempt from FOIA, cannot be used by regulators in enforcement actions against the reporting entity (except to enforce CIRCIA itself), and carry litigation protections including a bar on using the report itself in private suits.
Who Will Be Covered — and Where the Narrowing Will Land
The proposed rule’s covered-entity test has two gates, and an organization passes if it clears either one while operating in any of the 16 critical infrastructure sectors (our February article walks the full sector list):
The size-based criterion. Any entity in a critical infrastructure sector that exceeds the SBA small business size standard for its industry — a revenue or headcount threshold that varies by NAICS code. This gate is what produced the 316,000-entity estimate, and it is where the criticism concentrated: it sweeps in mid-sized manufacturers, regional hospitals, and food distributors whose individual compromise is unlikely to be nationally significant.
The sector-based criteria. A set of specific descriptions that capture entities regardless of size because of what they do: owners and operators covered by chemical facility security programs, communications providers, defense industrial base contractors with certain DoD relationships, critical financial market participants, large healthcare providers, entities that manufacture certain critical devices or software, water systems serving more than a threshold population, and similar designations across the other sectors.
The honest current answer on final scope is: the direction is known, the destination is not. CISA has committed to narrowing and to reducing burden, and the June town halls specifically re-opened the size-based criteria, the sector-based criteria, and the treatment of cloud and managed service providers. A plausible final rule raises or replaces the SBA size gate, trims sector-based categories at the margins, and leans harder on criticality. What no organization should do is assume its way out of coverage before the text lands. If you are in a critical infrastructure sector and you are not a small business, plan as if covered until the final rule says otherwise.
Equally important: when the obligations start. CIRCIA’s reporting requirements are not in effect today and will not be until the final rule’s effective date — which the final rule itself will specify. The proposed rule contemplated obligations beginning on that effective date, while industry has pressed for a delayed compliance runway. Until the text publishes, the responsible planning assumption is that a September 2026 final rule produces enforceable reporting duties sometime between late 2026 and 2027 — enough time to finish a readiness program already underway, and nowhere near enough to start one from zero.
One Incident, Many Clocks: CIRCIA Against the Existing Reporting Stack
CIRCIA does not arrive on empty ground. It lands on top of a reporting stack that a single serious incident at a covered entity can trigger in its entirety, and the final rule’s harmonization choices will determine how much of that stack collapses into one filing.
CIRCIA vs. SEC Form 8-K Item 1.05. These regimes answer different questions on different clocks for different audiences. The SEC rule, whose enforcement record we track in our two-year 8-K disclosure tracker, requires public disclosure within four business days of determining an incident is material to investors. CIRCIA requires confidential reporting to CISA within 72 hours of reasonable belief that a covered incident occurred. The CIRCIA clock will usually start first — reasonable belief precedes a materiality determination — and the CIRCIA report is protected from public view while the 8-K is, by design, public. Public companies in critical infrastructure sectors need both workflows, sequenced, with legal owning the consistency between what CISA is told confidentially and what investors are told publicly. A CIRCIA filing that materially diverges from the subsequent 8-K narrative is a problem someone will eventually have to explain.
CIRCIA vs. HIPAA. A hospital ransomware event can trigger CIRCIA’s 72-hour report and, separately, HIPAA’s breach notification duties to HHS and affected individuals (60 days for breaches of unsecured PHI). CIRCIA’s substantially similar reporting exception may eventually relieve the federal-to-federal duplication — a covered entity that reports substantially similar information to another federal agency within a substantially similar timeframe, under a CIRCIA Agreement between CISA and that agency, is excused from a duplicate CIRCIA filing — but the exception only works where an agreement exists and the other regime’s clock is comparably fast. HIPAA’s 60-day window is not 72 hours; expect hospitals to file both.
CIRCIA vs. state law and sector rules. CIRCIA does not preempt state breach notification statutes, state regulator regimes like NYDFS’s 72-hour rule, or the sector rules already in force — the banking agencies’ 36-hour notification rule, TSA’s pipeline and rail directives, NERC CIP reporting. The “report once, share many” promise of CIRCIA’s harmonization machinery applies to federal reporting, agreement by agreement, and will mature over years, not at the effective date. The realistic near-term picture for a multi-regime entity is that CIRCIA adds a clock — the fastest general-purpose one — rather than replacing any.
The practical consequence: incident response playbooks need a notification decision matrix that runs all applicable clocks in parallel from a single set of facts, with the CIRCIA 72-hour timer treated as the pacing item because it starts at reasonable belief, before scoping is complete.
The Readiness Checklist: What to Finish Before September
The slip from May to September is not a reprieve; it is unearned schedule. Organizations that treat the next two months as the final buildout window will be ready. The checklist, in priority order:
- Make the coverage call and document it. Map your entity (and each legal entity in your corporate family — coverage applies entity by entity) against the 16 sectors, the SBA size standards for your NAICS codes, and the proposed sector-based criteria. Write the analysis down, with rationale, and diary it for re-validation the week the final rule publishes. If you are close to a line, prepare for coverage.
- Define “reasonable belief” for your own organization. The 72-hour clock starts at reasonable belief, which means someone must be designated to form it. Build a decision tree: which detections escalate, who convenes the assessment, who has authority to declare the clock running, and how the decision — either way — gets documented. An undocumented decision not to report is the worst possible artifact to hold when CISA comes asking.
- Build the report templates now. Draft skeleton CIRCIA incident and ransom payment reports against the NPRM’s required content, pre-populated with entity information. Seventy-two hours is short; none of it should be spent discovering what the form asks.
- Stand up 24/7 reporting capability. Both clocks run on weekends. On-call rotations, pre-authorized submitters, out-of-band access to the reporting portal, and legal counsel reachable at 2 a.m. are the operational minimum.
- Fix data preservation before you need it. Extend log retention for security-relevant sources to survive a two-year preservation duty, define the incident evidence-preservation procedure (original format, access controls, deletion holds), and test that a legal hold actually stops your log rotation.
- Integrate the ransom payment decision. If a payment is ever made — by you, your insurer, or a negotiator on your behalf — the 24-hour federal reporting duty attaches. Put CIRCIA notification into the payment-decision playbook and into your cyber insurance and IR retainer contracts explicitly, so no party assumes another is filing.
- Build the multi-regime notification matrix. One incident, all clocks: CIRCIA, SEC (if public), HIPAA (if health data), state AGs, NYDFS, sector regulators, contractual notice duties. Assign an owner per clock. The organizations that lapse are the ones improvising this map mid-incident.
- Exercise it. Run at least one tabletop before the final rule lands that drills the reporting workflow specifically: detection to reasonable-belief declaration to submitted draft report in under 72 hours, with legal review inside the window. Then run one with a ransom payment branch.
- Track the final rule’s two dates. When it publishes, the two numbers that matter are the effective date (when reporting duties begin) and the final covered-entity criteria. Re-run your coverage analysis against the final text within thirty days of publication.
Conclusion: The Deadline That Moves Is Not the One That Matters
CIRCIA’s history is a study in slipping schedules — a March 2022 statute, an April 2024 proposal, a missed October 2025 statutory deadline, a missed May 2026 target, and now September. It is tempting to read that record as evidence the rule will slip forever, and to defer the readiness spend accordingly. That is the wrong lesson.
The dates that have moved are CISA’s. The dates that will not move are yours: 72 hours from reasonable belief, 24 hours from payment, running nights and weekends, enforced by subpoena and backstopped by federal false statements law. Those numbers were fixed by Congress four years ago and have survived every delay, every town hall, and every deregulatory review since. The final rule will decide how many organizations they bind — likely fewer than the 316,000 the proposal contemplated — but for the entities that remain covered, the obligations arrive whole, with no phase-in of the clocks themselves.
Every slip so far has been free preparation time. September’s is probably the last one. Spend it finishing the program, not watching the Unified Agenda.
Sources: Nextgov/FCW — CISA expects to finalize key cyber reporting rule by September, Federal News Network — CIRCIA, other big cyber rules expected to get finalized this fall, Federal Register — CIRCIA Reporting Requirements (NPRM, April 4, 2024), Federal Register — CIRCIA Rulemaking Town Hall Meetings (February 13, 2026), CISA — CIRCIA FAQs, Hunton — Navigating Cyber Disclosures in 2026
This article is provided for informational purposes only and does not constitute legal advice.



