The Cyber Incident Reporting for Critical Infrastructure Act has been in a holding pattern since CISA missed its original October 2025 deadline. The final rule is now expected in May 2026. If you’ve been treating CIRCIA as a future problem, that window is closing fast. RSA
This post isn’t about what CIRCIA says in theory. Most security professionals have read the summaries. It’s about what readiness actually looks like operationally — and where most organizations are still unprepared.
What CIRCIA Actually Requires
CIRCIA establishes a mandatory nationwide cyber incident and ransomware payment reporting regime for covered entities operating in critical infrastructure sectors. Once effective, covered entities must report a covered cyber incident within 72 hours and any ransomware payment within 24 hours. RSA
Those timelines sound manageable until you map them against how most incident response actually runs. In the first 72 hours of a significant incident, your team is typically still in containment mode — identifying scope, preserving evidence, standing up communications channels, and figuring out what actually happened. Drafting and submitting a regulatory report is rarely anyone’s priority in that window.
That’s the gap. Not awareness of the requirement, but operationalization of it.
Who Is Covered
CISA estimates the rule will apply to some 316,000 entities across the country spanning all 16 critical infrastructure sectors — energy, financial services, healthcare, transportation, water, communications, and more. If your organization operates in any of these sectors, or if you’re a significant vendor or service provider to organizations that do, you need to determine your covered entity status now, not after the rule drops. ckcybersecurity
The covered entity determination isn’t always straightforward. Sector-specific criteria, ownership thresholds, and service relationships all factor in. If you haven’t made a formal determination with legal counsel, that’s your first task.
The Three Gaps Most Organizations Have
Gap 1: No defined reporting trigger criteria. CIRCIA requires reporting of “covered cyber incidents,” but most organizations don’t have documented criteria for what constitutes a reportable event. Without that definition, the 72-hour clock becomes impossible to manage because you’ll spend the first 24 hours debating whether the incident qualifies rather than preparing the report.
Work with legal and security leadership now to define your reporting triggers. What constitutes a substantial cyber incident under CIRCIA’s framework? Document it. Put it in your IRP.
Gap 2: No designated reporting owner. Someone needs to own the CIRCIA notification process with clear authority to submit reports on the organization’s behalf. In most IRPs, this role doesn’t exist or isn’t named. The reporting function needs an owner, a backup, and access to whatever portal CISA ultimately stands up for submissions.
Gap 3: No ransomware payment decision protocol. The 24-hour ransomware payment reporting window is the tightest deadline in the rule. Currently, the vast majority of cyberattacks in the US go unreported. CIRCIA is designed to change that dramatically — but 24 hours from payment decision to regulatory notification requires a pre-built process. If your ransomware playbook doesn’t include a reporting step immediately following a payment decision, it’s incomplete. ckcybersecurity
What to Do Before the Rule Drops
- Confirm covered entity status with legal counsel. Don’t assume — document the determination.
- Update your IRP to include CIRCIA reporting steps, timelines, and role assignments.
- Define your reporting trigger criteria so the 72-hour clock starts from a clear, documented threshold.
- Add a sanctions screening step before any ransom payment decision. As covered in the April 14 post, paying a ransom that benefits a sanctioned party is a separate legal exposure that compounds your CIRCIA obligations.
- Monitor CISA’s final rule publication and adjust your documented procedures once the rule text is final. The proposed rule has been significantly revised, and details matter.
The organizations that will be caught flat-footed are the ones waiting for the final rule to start building their process. By the time the rule drops, you want to be in refinement mode — not starting from scratch.
Discussion Questions
- Has your organization made a formal covered entity determination under CIRCIA? Is that determination documented?
- Does your current IRP include CIRCIA reporting steps with defined timelines and a named reporting owner?
- What is your documented trigger criteria for a “covered cyber incident” under CIRCIA’s framework? If you don’t have one, what’s blocking that conversation?
Further Reading
- CISA CIRCIA Overview and Updates: https://www.cisa.gov/circia
- CISA CIRCIA Proposed Rule (NPRM): https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-of-2022
- OFAC Ransomware Advisory (Sanctions Screening): https://ofac.treasury.gov/media/57346/download?inline
Leave a Reply