← Back to all briefings
Policy 5 min read Published Updated Credibility 40/100

Policy Briefing — U.S. Cyber Incident Reporting for Critical Infrastructure Act Signed

President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act on 15 March 2022, establishing federal mandates for covered entities to report significant cyber incidents and ransom payments to CISA.

Zeph Tech Research Lead

Research lead, Zeph Tech

Single-point timeline showing the publication date sized by credibility score.
Publication date and credibility emphasis for this briefing. Source data (JSON)

On 15 March 2022 the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) became law as part of the Consolidated Appropriations Act. The statute directs the Cybersecurity and Infrastructure Security Agency (CISA) to require covered critical infrastructure owners and operators to report substantial cyber incidents within 72 hours and ransomware payments within 24 hours. It also gives CISA subpoena authority to compel reports, establishes liability protections, and sets timelines for notice of supplemental information.

The law launches a rulemaking that will define covered entities and reportable incidents, with a two-year window for final rules. Security leaders should begin aligning incident response playbooks to rapid-reporting expectations and inventorying what telemetry and forensic artifacts will be necessary to satisfy CISA requests.

Single-point timeline showing the publication date sized by credibility score.
Publication date and credibility emphasis for this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Incident Reporting
  • Critical Infrastructure
  • Regulation
  • United States
Back to curated briefings