CISA Issues Proposed Rule for CIRCIA Reporting — April 4, 2024

Executive briefing: On 4 April 2024 the Cybersecurity and Infrastructure Security Agency (CISA) published its long-awaited notice of proposed rulemaking (NPRM) to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The proposal sets out definitions for covered entities, reportable incidents, 72-hour incident reporting deadlines, and 24-hour ransomware payment notifications.

Key NPRM elements

• Covered entities. Applies to owners and operators in 16 critical infrastructure sectors that meet size or criticality criteria outlined in the proposal.
• Reportable incidents. Requires reporting of substantial cyber incidents that cause serious impacts, including unauthorized access to sensitive systems, disruptions of essential functions, or operational technology degradation.
• Reporting mechanics. Establishes the CIRCIA Reporting Portal, required data elements, and obligations to preserve records for at least two years.

Control alignment guidance

• Incident response plans. Update playbooks to incorporate 72-hour reporting triggers, evidence preservation procedures, and coordination with legal counsel.
• Regulatory mapping. Align CIRCIA obligations with existing TSA, SEC, and sector-specific reporting requirements to avoid conflicting timelines.
• Vendor management. Ensure managed service providers and incident response partners can support CIRCIA data collection and notification workflows.

Operational recommendations

• Submit comments by the 3 July 2024 deadline, addressing definitions and thresholds that affect your sector.
• Run joint exercises with legal, communications, and technology teams to practice gathering the NPRM’s required data fields within the 72-hour window.
• Assess logging, forensic readiness, and ransomware response contracts to ensure evidence retention for the mandated two-year period.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 90/100 · March 18, 2024

EPA Issues Enforcement Alert on Water System Cyber Deficiencies — March 18, 2024

The Environmental Protection Agency warned drinking water systems to fix cybersecurity lapses after nationwide inspections uncovered critical gaps.

Cybersecurity · Credibility 93/100 · April 30, 2024

White House Issues NSM-22 on Critical Infrastructure Security — April 30, 2024

National Security Memorandum-22 replaces PPD-21 and modernizes U.S. critical infrastructure risk management, information sharing, and regulatory coordination.

Cybersecurity · Credibility 90/100 · May 9, 2024

TSA Expands Aviation Cybersecurity Directives — May 9, 2024

TSA ordered airport and aircraft operators to harden incident reporting, network segmentation, and access controls under new emergency amendments.

Cybersecurity · Credibility 91/100 · November 22, 2023

Australia Releases 2023–2030 Cyber Security Strategy — November 22, 2023

Australia’s 2023–2030 Cyber Security Strategy demands board-led coordination across the six cyber shields, phased execution of the 2023–2025 action plan, and privacy controls that preserve DSAR fidelity while expanding…

Cybersecurity · Credibility 91/100 · October 30, 2023

Executive Order 14110 on Safe, Secure, and Trustworthy AI — October 30, 2023

Executive Order 14110 directs NIST, DHS, and sector risk agencies to build secure-by-design AI guidance, critical infrastructure risk frameworks, and red-teaming regimes—demanding governance to oversee compliance…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.