Initially signed into law back in March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires CISA to develop new reporting requirements for critical infrastructure companies that incur cyberattacks or make ransomware payouts.
Supplementing CIRCIA, in April 2024, the Department of Homeland Security issued a notice for proposed rulemaking, and the subsequent period for public comments ended on July 3, 2024. It was initially supposed to end on June 3, but they pushed it out a month. At any rate, the wheels are in motion.
The notice for proposed rulemaking addressed how exactly CISA would implement CIRCIA, as well as the logistics surrounding covered entities’ reporting and retention of information related to cyber incidents and ransom payments.
Now, CISA intends to publish the final rule in September of 2025, with the law not formally taking effect until 2026; nevertheless, covered entities need to prepare as soon as possible.
Covered entities affected by CIRCIA
In the United States, 85% of all critical infrastructure entities are privately owned; hence, it is important to have an effective public-private partnership between the government and the private sector.
CIRCIA primarily affects 16 different critical infrastructure sectors: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial bases; emergency communications; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation services; water and wastewater systems.
According to CISA’s estimates, over 300,000 entities will be covered by CIRCIA. Many of these entities, including companies in healthcare, energy, and agriculture, will likely be surprised to learn that they are covered by the proposed rules. Thus, the first thing to do is to find out whether your organization is covered by the upcoming law.
CIRCIA’s reporting and retention requirements
Once the requirements do take effect, covered entities have to report all “substantial cyber incidents” to CISA within 72 hours. To be more specific, that is 72 hours after the organization has a “reasonable belief” that an incident has occurred.
If the cyber incident involves a ransomware attack and a payment is made, the organization must report that incident within 24 hours.
Even though covered entities do not technically have to report cyber incidents until 2026, CISA is encouraging covered entities—critical infrastructure organizations of a certain size—to begin reporting today.
As far as what exactly constitutes a “substantial cyber incident,” this could be: (1.) a substantial loss of confidentiality, integrity, or availability of data; (2.) a serious impact on the resiliency of operational systems and processes; (3.) a significant business or industrial disruption; (4.) a ransomware payment or attack; or (5.) unauthorized access to the system facilitated via a third party or supply chain compromise.
Penalties for noncompliance
Failure to comply with CIRCIA will result in extremely harsh criminal and civil penalties.
Any individual who interferes with CISA’s ability to acquire accurate information can incur fines and land in jail for up to five years. If domestic or international terrorism is involved, the potential jail time increases to eight years. Also, if an individual in the organization refuses to comply with a request for information or a subpoena, CISA can then send the case to the Attorney General to levy criminal or civil penalties.
The CIRCIA timetable and other concerns
First of all, the 2022 law stipulates that 18 months after the comment period closes, CISA then has 18 months to finalize the regulations. Given that the comment period ended on July 3, 2024, that puts the approximate start date at January 3, 2026. Assuming no other delays, from that day on, Congress then has 60 days to review the rules before they become effective.
Now, many covered organizations are likely concerned about negative publicity and economic fallout from complying with CIRCIA. CISA is taking steps to address this. The agency promises only to release anonymized and aggregated data. Moreover, all covered organizations can designate their comprised data as being either commercial, financial, or proprietary, and it will be handled accordingly. Additionally, all this information is exempt from FOIA disclosures. Hopefully, this assuages some concerns.
Preparing for these new reporting requirements
Despite CIRCIA not taking effect until early 2026, it is vital that covered organizations take a proactive approach. After confirming that the law does, indeed, apply to your company, it’s important to assess the efficacy of your security tools.
To that end, it is important to be able to show regulators and auditors that your organization has proper cyber hygiene, adequate reporting processes, incident response, and recovery plans. Through the use of data mapping, you can begin to assess which records need to be retained in the event of an incident.
Of course, effective planning will likely involve many different departments. It’s wise to designate a compliance team, including specific personnel to do the actual reporting if there’s a substantial cyber incident.
Unfortunately, given the amount of cyberattacks on American critical infrastructure entities, I expect that CIRCIA will, indeed, be enforced in 2026. If your organization is covered under the law, I’d recommend preparing today.
