What's Happening?
The Cybersecurity and Infrastructure Security Agency (CISA) has announced an additional opportunity for stakeholders to provide input on the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Originally passed in 2022, CIRCIA aims to establish
reporting requirements for cyber incidents and ransom payments across various sectors. CISA missed its initial deadline for finalizing the rulemaking and now anticipates completion by Spring 2026. The agency will hold a series of virtual town hall meetings in March and April to gather feedback, focusing on refining the scope and reducing the regulatory burden of CIRCIA.
Why It's Important?
CIRCIA's implementation is crucial for enhancing the federal government's visibility into the cyber threat landscape, particularly for critical infrastructure sectors. The additional feedback period allows stakeholders to influence the final rule, potentially reducing compliance costs and aligning federal and state reporting requirements. The outcome of this process will impact how effectively the U.S. can respond to cyber threats and protect critical infrastructure. The health sector, among others, is closely monitoring the rule's development, as its inclusion in the reporting requirements is likely.
What's Next?
CISA will conduct town hall meetings across various sectors, including healthcare, energy, and transportation, to gather stakeholder input. The agency seeks actionable improvements to clarify or reduce the burden of CIRCIA's requirements. The feedback will inform the final rule, expected in Spring 2026. Stakeholders are encouraged to participate actively to ensure their concerns are addressed. The final rule will shape the future of cyber incident reporting and influence the U.S.'s overall cybersecurity posture.
