← Back to all briefings
Policy 6 min read Published Updated Credibility 71/100

U.S. Cyber Incident Reporting for Critical Infrastructure Act Signed

Critical infrastructure operators now have federal reporting requirements for cyber incidents. CIRCIA means you have got 72 hours to report significant incidents to CISA, and 24 hours if you pay a ransom. The liability protections are real—CISA cannot use your report against you in enforcement actions. The final rules are coming in 2025.

Kodi C.

Editor & Research Lead

Reviewed for accuracy by Kodi C.

Policy pillar illustration for Zeph Tech briefings
Policy, regulatory, and mandate timeline briefings

Legislative Enactment and Purpose

President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) on 15 March 2022 as part of the Consolidated Appropriations Act. The legislation requires covered critical infrastructure entities report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours.

CIRCIA represents the most significant expansion of federal cyber incident reporting requirements, creating mandatory disclosure obligations that previously existed only in sector-specific contexts like financial services and healthcare. The law aims to improve national situational awareness of cyber threats and enable faster coordinated response to attacks affecting critical infrastructure.

Covered Entities and Scope

CIRCIA applies to covered entities across critical infrastructure sectors as defined by CISA, encompassing communications, energy, financial services, healthcare, information technology, transportation, and other sectors. The exact scope depends on implementing regulations defining which entities within each sector meet size, function, or criticality thresholds triggering reporting obligations.

CISA's rulemaking process, which must complete by March 2024, will specify covered entity criteria, likely focusing on entities whose compromise could significantly impact critical infrastructure operations, public safety, or national security. If you are affected, monitor rulemaking proceedings to understand whether they fall within scope and prepare compliance capabilities as needed.

Reportable Incident Criteria

Covered entities must report "covered cyber incidents" meeting materiality thresholds established through regulation. The statute provides general parameters: incidents that significantly disrupt critical infrastructure operations, cause significant compromise of confidentiality or integrity, or have potential to significantly harm public health and safety or national security.

Implementing regulations will specify technical criteria for determining when incidents meet reporting thresholds. The 72-hour reporting timeline begins when the entity reasonably believes a covered incident has occurred, not when investigation completes. If you are affected, develop incident classification frameworks that enable rapid materiality assessments and trigger appropriate reporting workflows.

Ransomware Payment Reporting

The 24-hour ransomware payment reporting requirement addresses growing concerns about ransomware ecosystem economics and the need for faster government visibility into payment flows. Covered entities must report ransom payments regardless of whether the underlying incident independently meets covered incident thresholds. This accelerated timeline recognizes that ransom payments often occur quickly following attacks, and rapid reporting enables law enforcement action against threat actors, payment recovery efforts, and warnings to other potential victims using the same threat infrastructure. Organizations considering ransom payments should factor reporting obligations into response planning.

Liability Protections

CIRCIA includes liability protections designed to encourage reporting without fear of legal exposure. Reports submitted to CISA cannot be used as basis for regulatory enforcement actions, and submission does not waive attorney-client privilege or work product protections. Reports receive exemptions from Freedom of Information Act disclosure and cannot be used directly in civil litigation against reporting entities. These protections aim to reduce barriers that have historically discouraged voluntary incident sharing, though you should understand protection boundaries and ensure reports are submitted through proper channels to qualify for protections.

CISA's Role and Information Sharing

CISA serves as the central repository for CIRCIA reports, analyzing submissions to identify threat patterns, warn potential victims, and coordinate defensive responses. The agency must share relevant information with sector risk management agencies, FBI, and other appropriate federal entities while protecting reporting entity identities where possible. CISA can also use reported information to develop anonymized threat intelligence products for broader distribution. The aggregated visibility from mandatory reporting should significantly improve CISA's ability to understand adversary campaigns and provide actionable defensive guidance to critical infrastructure operators.

Implementation Timeline and Compliance Preparation

The statute required CISA to publish a Notice of Proposed Rulemaking by March 2024 and final rules by March 2025, with compliance obligations taking effect upon final rule publication. Organizations potentially within scope should begin preparation by establishing incident classification procedures, documenting reporting workflows, identifying responsible personnel, and developing relationships with sector-specific ISACs and CISA regional representatives.

While final rule requirements remain uncertain, the statutory framework provides sufficient guidance to begin compliance infrastructure development. Early engagement with rulemaking consultations offers opportunity to influence practical aspects of setup.

References

Related articles

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • AI Policy Implementation Guide

    Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

  • Digital Markets Compliance Guide

    Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

  • Semiconductor Industrial Strategy Policy Guide

    Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published
Coverage pillar
Policy
Source credibility
71/100 — medium confidence
Topics
Incident Reporting · Critical Infrastructure · Regulation · United States
Sources cited
2 sources (iso.org, crsreports.congress.gov)
Reading time
6 min

References

  1. Industry Standards and Best Practices — International Organization for Standardization
  2. Congressional Research Service Analysis
  • Incident Reporting
  • Critical Infrastructure
  • Regulation
  • United States
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.