CISA Issues Proposed Rule for CIRCIA Reporting — April 4, 2024

On 4 April 2024 the Cybersecurity and Infrastructure Security Agency (CISA) published its long-awaited notice of proposed rulemaking (NPRM) to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The proposal sets out definitions for covered entities, reportable incidents, 72-hour incident reporting deadlines, and 24-hour ransomware payment notifications.

Key NPRM elements

• Covered entities. Applies to owners and operators in 16 critical infrastructure sectors that meet size or criticality criteria outlined in the proposal.
• Reportable incidents. Requires reporting of significant cyber incidents that cause serious impacts, including unauthorized access to sensitive systems, disruptions of essential functions, or operational technology degradation.
• Reporting mechanics. Establishes the CIRCIA Reporting Portal, required data elements, and obligations to preserve records for at least two years.

Control alignment guidance

• Incident response plans. Update playbooks to incorporate 72-hour reporting triggers, evidence preservation procedures, and coordination with legal counsel.
• Regulatory mapping. Align CIRCIA obligations with existing TSA, SEC, and sector-specific reporting requirements to avoid conflicting timelines.
• Vendor management. Ensure managed service providers and incident response partners can support CIRCIA data collection and notification workflows.

Operational recommendations

• Submit comments by the 3 July 2024 deadline, addressing definitions and thresholds that affect your sector.
• Run joint exercises with legal, communications, and technology teams to practice gathering the NPRM’s required data fields within the 72-hour window.
• Assess logging, forensic readiness, and ransomware response contracts to ensure evidence retention for the mandated two-year period.

Rule Overview

The Cybersecurity and Infrastructure Security Agency (CISA) published a Notice of Proposed Rulemaking (NPRM) on April 4, 2024, implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The proposed rule establishes mandatory reporting requirements for covered critical infrastructure entities experiencing significant cyber incidents or making ransomware payments.

CIRCIA represents a significant expansion of federal cyber incident reporting requirements, creating a centralized repository of incident data to inform government response and improve collective defense capabilities. The rule follows extensive stakeholder engagement and reflects input received through requests for information and public listening sessions.

Covered Entities

The proposed rule defines covered entities based on sector-specific criteria across critical infrastructure sectors. Size-based thresholds apply within sectors, generally requiring reporting from entities meeting Small Business Administration size standards or exceeding specified revenue or employee counts. Sector-specific regulations may impose additional requirements on entities already subject to federal oversight.

Covered entities include organizations in communications, energy, financial services, healthcare, information technology, transportation, and other critical infrastructure sectors. The rule provides detailed criteria for determining coverage within each sector, with CISA estimating approximately 316,000 entities would be subject to reporting requirements.

Reporting Requirements

Covered cyber incidents must be reported to CISA within 72 hours of the entity reasonably believing a covered incident has occurred. The definition of covered incident includes incidents causing significant loss of confidentiality, integrity, or availability of information systems, significant harm to safety, or disruption of the entity's ability to provide services.

Ransomware payments require supplemental reporting within 24 hours of payment, regardless of whether the underlying incident meets covered incident thresholds. This shorter timeline reflects the urgency of ransomware-related intelligence and the potential for payment information to inform ongoing investigations and disruption efforts.

Report Contents

Incident reports must include information about the covered entity, a description of the incident including affected systems and functions, dates of incident discovery and duration, indicators of compromise and tactics observed, remediation activities don, and any known attribution information. Reports should be updated as additional information becomes available.

CISA developed a reporting portal to help secure submission of incident information. The portal supports both initial reporting and subsequent updates, with mechanisms for entities to track their submissions and CISA engagement. Reporting formats accommodate varying levels of technical detail based on entity capabilities.

Information Protection

The rule establishes protections for reported information, limiting its use and disclosure consistent with CIRCIA statutory requirements. Reported information is exempt from Freedom of Information Act disclosure, cannot be used in civil enforcement actions against reporting entities, and maintains applicable legal privileges.

These protections address entity concerns about sharing sensitive incident information with the federal government. Clear boundaries on information use support reporting compliance while enabling CISA to aggregate and analyze incident data for defensive purposes.

Compliance and Enforcement

CISA may issue requests for information to entities believed to have experienced covered incidents without reporting. Failure to respond may result in subpoenas, and continued non-compliance may lead to civil penalties and referral to the Attorney General. The enforcement framework balances compliance incentives with recognition of setup challenges.

Wrapping up

The CIRCIA NPRM establishes full federal cyber incident reporting requirements for critical infrastructure. If you are affected, evaluate their coverage status, provide comments during the public comment period, and begin preparing compliance programs for setup upon final rule adoption.

Industry Coordination

If you are affected, engage with sector-specific information sharing and analysis centers (ISACs) and coordinating councils to understand sector interpretations and coordinate setup approaches. Industry associations provide forums for sharing compliance strategies and addressing common challenges. Coordination with legal counsel ensures reporting procedures appropriately balance compliance obligations with legal privilege and liability considerations.

Participation in the public comment process enables teams to influence final rule development, addressing setup concerns and seeking clarification on ambiguous requirements. CISA has showed responsiveness to stakeholder input throughout the rulemaking process, and significant comments may result in beneficial modifications to final requirements.

early compliance preparation positions organizations for successful setup while contributing to collective cybersecurity through systematic incident information sharing with federal authorities.

Documentation of compliance decisions supports regulatory inquiries and shows organizational commitment to cyber resilience objectives.

Early preparation ensures compliance readiness.

Regular monitoring tracks rule finalization.

Stakeholder input shapes final requirements.

Reporting Threshold Considerations

CIRCIA establishes specific reporting thresholds triggering mandatory disclosure obligations. Organizations must assess whether incidents meet threshold criteria including substantial loss of confidentiality, integrity, or availability affecting critical infrastructure operations. Clear internal classification procedures help ensure consistent application of reporting requirements across the organization.

Timing requirements demand rapid internal assessment and escalation procedures. The 72-hour reporting window for cyber incidents leaves limited time for investigation and decision-making. Organizations should establish pre-approved reporting templates and designated contacts to enable timely submissions without compromising ongoing response activities.

Coordination with Existing Requirements

CIRCIA reporting requirements overlay existing sector-specific incident reporting obligations. Organizations in regulated industries must coordinate CIRCIA submissions with sector-specific reporting to avoid duplicative efforts while ensuring thorough regulatory compliance. Documentation of reporting activities supports audit requirements and demonstrates compliance program effectiveness.

See also

Selected articles on related subjects.

Cybersecurity · Credibility 90/100 · March 18, 2024

EPA Issues Enforcement Alert on Water System Cyber Deficiencies — March 18, 2024

EPA warned drinking water utilities about cybersecurity gaps in March 2024. Their inspections found serious problems. If you are running water infrastructure, expect more regulatory attention on cyber.

Cybersecurity · Credibility 93/100 · April 30, 2024

White House Issues NSM-22 on Critical Infrastructure Security — April 30, 2024

National Security Memorandum-22 replaces PPD-21 and modernizes U.S. critical infrastructure risk management, information sharing, and regulatory coordination.

Cybersecurity · Credibility 90/100 · May 9, 2024

TSA Expands Aviation Cybersecurity Directives — May 9, 2024

TSA's aviation cybersecurity directives continue to evolve. Airlines, airports, and aviation service providers face mandatory incident reporting, cybersecurity assessments, and vulnerability management requirements. If…

Cybersecurity · Credibility 91/100 · November 22, 2023

Australia Releases 2023–2030 Cyber Security Strategy — November 22, 2023

Australia’s 2023–2030 Cyber Security Strategy demands board-led coordination across the six cyber shields, phased execution of the 2023–2025 action plan, and privacy controls that preserve DSAR fidelity while expanding…

Cybersecurity · Credibility 91/100 · October 30, 2023

Executive Order 14110 on Safe, Secure, and Trustworthy AI — October 30, 2023

Executive Order 14110 directs NIST, DHS, and sector risk agencies to build secure-by-design AI guidance, critical infrastructure risk frameworks, and red-teaming regimes—demanding governance to oversee compliance…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

April 4, 2024

Coverage pillar

Cybersecurity

Source credibility

91/100 — high confidence

Topics

United States · CIRCIA · Incident reporting · Critical infrastructure

Sources cited

3 sources (cisa.gov, congress.gov, nist.gov)

Reading time

6 min

Cited sources

1. CISA CIRCIA Notice of Proposed Rulemaking — cisa.gov
2. Cyber Incident Reporting for Critical Infrastructure Act of 2022 — congress.gov
3. NIST Cybersecurity Framework 2.0 — nist.gov