Laws & RegulationsCIRCIA
proposedcritical infrastructurePub. L. 117-103, Division Y
Cyber Incident Reporting for Critical Infrastructure Act of 2022
Also known as: CIRCIA
CIRCIA requires critical infrastructure entities to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. The law is still in rulemaking — CISA published its Notice of Proposed Rulemaking in April 2024 and is expected to finalize the rule in 2025-2026. Once final, it will create the most comprehensive mandatory cyber incident reporting regime in the US.
Jurisdiction
United States (Federal)
Regulator
Cybersecurity and Infrastructure Security Agency
Effective
3/15/2022
Sector
critical infrastructure
Full Text / Summary
CIRCIA was signed into law on March 15, 2022, directing CISA to develop implementing regulations. The NPRM published April 4, 2024 proposed definitions of "covered entity" (entities in critical infrastructure sectors meeting size thresholds), "covered cyber incident" (substantial cyber incidents meeting severity thresholds), and reporting procedures. Key elements include: 72-hour reporting for covered cyber incidents; 24-hour reporting for ransomware payments; data preservation requirements; CISA authority to subpoena non-reporting entities; safe harbor protections for good-faith reporters; and information sharing with federal agencies. The final rule is expected to significantly expand mandatory cyber incident reporting in the US.