← Back to all briefings

Cybersecurity · Credibility 91/100 · · 2 min read

Cybersecurity Briefing — September 27, 2025

CISA must publish the final CIRCIA reporting rule by September 27, 2025—18 months after the March 2024 NPRM—so critical infrastructure operators should lock breach-response playbooks, data pipelines, and board reporting ahead of the binding obligation.

Executive briefing: The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) directs the Cybersecurity and Infrastructure Security Agency (CISA) to issue a final reporting regulation within 18 months of releasing its notice of proposed rulemaking (NPRM). With the NPRM published on 27 March 2024, the statutory deadline for the final rule is 27 September 2025. Once issued, covered entities will have 72 hours to report substantial cyber incidents and 24 hours to disclose ransomware payments. Operators should use the remaining runway to rehearse incident-response reporting, automate evidence capture, and align executive oversight so they are ready when the final rule hits the Federal Register.

Key compliance checkpoints

  • Entity scoping. Map business units and subsidiaries to CIRCIA’s covered critical infrastructure sectors and review exemptions for certain small businesses or regulated financial institutions.
  • Data pipelines. Instrument telemetry and case-management systems to extract the data elements CIRCIA will require—attack vectors, vulnerabilities exploited, business impacts, and mitigation steps—within the 72-hour window.
  • Board governance. Update disclosure committees and board briefings so directors understand the forthcoming reporting triggers, liability protections, and information-sharing constraints.

Operational priorities

  • Runbook rehearsal. Conduct tabletop exercises that incorporate CIRCIA reporting timelines, coordination with sector risk management agencies, and integration with SEC or state-level notification obligations.
  • Vendor coordination. Ensure managed service providers and cloud platforms can supply incident artefacts fast enough to support the 72-hour report and 24-hour ransomware disclosure.
  • Legal privilege. Establish privilege protocols so breach investigations, draft reports, and communications with CISA maintain appropriate protections while meeting statutory deadlines.

Enablement moves

  • Deploy CIRCIA-specific reporting templates and APIs aligned with CISA’s forthcoming form schema to minimise manual drafting.
  • Centralise evidentiary storage—packet captures, forensic images, and mitigation records—to streamline subsequent requests from CISA or sector regulators.
  • Coordinate with government affairs teams on the forthcoming joint rulemaking for subpoenas and enforcement to understand penalty exposure.

Sources

Zeph Tech builds CIRCIA-ready response programs—automating evidence capture, integrating reporting APIs, and coaching executives on statutory obligations before the final rule drops.

  • CIRCIA
  • Cyber incident reporting
  • Critical infrastructure
  • CISA
Back to curated briefings