The Cyber Incident Reporting for Critical Infrastructure Act, signed into law in March 2022, directs CISA to establish mandatory cyber incident and ransomware payment reporting requirements for critical infrastructure entities. CISA published the Notice of Proposed Rulemaking in April 2024, and the final rule is now expected by May 2026, delayed from the original October 2025 target.
Once effective, CIRCIA will create the most comprehensive federal cyber incident reporting mandate for the private sector in US history.
Reporting Requirements
Covered Cyber Incidents (72-hour reporting)
Critical infrastructure entities must report covered cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred. A covered cyber incident includes substantial loss of confidentiality, integrity, or availability of information systems; serious impact on the safety and resiliency of operational systems; disruption of business or industrial operations; or unauthorized access to information systems or nonpublic data.
Ransomware Payments (24-hour reporting)
Any ransomware payment made by a covered entity must be reported to CISA within 24 hours of the payment being disbursed. This applies whether the payment was made directly by the entity or through a third party.
Supplemental Reports
Covered entities must submit supplemental reports when substantially new or different information becomes available about a previously reported incident.
Who Is Covered
CIRCIA applies to entities in the 16 critical infrastructure sectors defined by Presidential Policy Directive 21:
| Sector | Examples |
|---|---|
| Chemical | Chemical manufacturers and distributors |
| Commercial Facilities | Stadiums, shopping centers, casinos |
| Communications | Telecom providers, ISPs, satellite operators |
| Critical Manufacturing | Primary metals, machinery, electrical equipment |
| Dams | Hydroelectric, navigation locks, levees |
| Defense Industrial Base | DoD contractors and suppliers |
| Emergency Services | Law enforcement, fire, EMS |
| Energy | Electric utilities, oil and gas, pipelines |
| Financial Services | Banks, exchanges, clearing houses |
| Food and Agriculture | Food production, distribution, restaurants |
| Government Facilities | Federal, state, local government buildings |
| Healthcare and Public Health | Hospitals, pharmaceutical, laboratories |
| Information Technology | Hardware, software, IT service providers |
| Nuclear | Nuclear reactors, materials, waste |
| Transportation | Aviation, maritime, rail, highways |
| Water | Drinking water and wastewater systems |
The final rule will define specific size and operational thresholds within each sector.
How CIRCIA Interacts with Existing Requirements
| Regulation | Reporting Timeline | Relationship to CIRCIA |
|---|---|---|
| SEC 8-K | 4 business days (materiality) | Separate obligation; different trigger (materiality vs. incident type) |
| HIPAA | 60 days (breach notification) | CIRCIA is faster; both may apply to healthcare |
| NYDFS | 72 hours | Similar timeline; CIRCIA is federal |
| TSA pipeline directives | 12 hours | Stricter than CIRCIA; sector-specific |
| Bank regulators (OCC/FDIC) | 36 hours | Stricter than CIRCIA for banks |
CIRCIA includes provisions to harmonize reporting by allowing entities to satisfy CIRCIA through existing sector-specific reports, where CISA enters into agreements with other agencies.
Liability Protections
Reports submitted under CIRCIA receive strong legal protections. Reports cannot be used to regulate, investigate, or take enforcement action against the reporting entity. Reports are exempt from FOIA disclosure. Reports are protected from use in civil litigation against the reporting entity. Reported information receives federal privilege protections.
These protections are designed to encourage honest, timely reporting without fear of legal consequences.
Enforcement
CISA can issue requests for information (RFIs) to entities believed to have experienced a covered incident but failed to report. If an entity does not respond, CISA can issue a subpoena. Failure to comply with a subpoena can result in a civil action referred to the Department of Justice.
CIRCIA does not impose direct fines, but non-compliance with subpoenas constitutes contempt.
Practical Steps
Assess whether your organization falls within the 16 critical infrastructure sectors and will meet the size thresholds in the final rule. Map all current incident reporting requirements (SEC, HIPAA, sector-specific) and assess overlap with CIRCIA. Build processes to detect, classify, and report covered incidents within 72 hours. If your organization’s policy permits ransomware payments, build a 24-hour payment reporting workflow. Understand the liability protections and ensure your reporting processes preserve those protections. Monitor the final rule expected in May 2026, since specific thresholds and definitions will determine applicability.