CIRCIA: Cyber Incident Reporting for Critical Infrastructure Act

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) establishes a federal mandate requiring covered entities in critical infrastructure sectors to report significant cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). Signed into law as part of the Consolidated Appropriations Act of 2022, CIRCIA creates the first uniform federal reporting regime for cyber incidents affecting the 16 critical infrastructure sectors designated under Presidential Policy Directive 21. The law's implementing regulations, being developed through a formal rulemaking process, will define precise timelines, covered entity thresholds, and reporting mechanics that will reshape cyber incident reporting requirements across the United States.

Definition and scope

CIRCIA (Public Law 117-103, Division Y) directs CISA to promulgate rules establishing mandatory reporting obligations for "covered entities" operating in critical infrastructure protection sectors. The statute defines two primary reporting obligations:

1. Covered Cyber Incident Reports — filed within 72 hours of a covered entity reasonably believing a substantial cyber incident has occurred.
2. Ransom Payment Reports — filed within 24 hours of a ransom payment being made following a ransomware attack.

A supplemental report is required if substantial new information becomes available after an initial submission, or if a ransom payment is made after a covered cyber incident report was already filed.

CISA published a Notice of Proposed Rulemaking (NPRM) in March 2024 for public comment. The proposed rule spans more than 400 pages and covers covered entity definitions, incident thresholds, reporting timelines, and exemptions. The final rule will determine which organizations — by sector, size, and function — fall within the mandate's scope.

The 16 covered sectors include energy, water, healthcare, financial services, transportation, communications, defense industrial base, and information technology, among others. Sector-specific details interact with existing regulations such as those enforced by the North American Electric Reliability Corporation (NERC), the Nuclear Regulatory Commission (NRC), and the Department of Health and Human Services (HHS) under HIPAA. CIRCIA is designed to complement, not supersede, those sector-specific cybersecurity regulations.

How it works

CIRCIA's operational framework involves four discrete phases:

1. Incident identification — The covered entity determines whether an event meets the threshold of a "covered cyber incident," defined as a substantial cyber incident meeting criteria CISA will codify in regulation, including unauthorized access, disruption of operations, or data exfiltration affecting critical systems.

2. Reporting submission — The entity submits a report to CISA through a web-based portal CISA is required to establish. Reports must include: the nature and scope of the incident, systems and data affected, vulnerabilities exploited, security controls in place, and contact information for the entity.

3. Federal agency notification — CISA is required to share reported information with the FBI, the relevant Sector Risk Management Agency (SRMA), and other relevant federal agencies within 24 hours of receipt. This information-sharing mechanism is central to CIRCIA's purpose of enabling coordinated federal response and cybersecurity information sharing.

4. Enforcement and subpoena authority — If a covered entity fails to report within the required window, CISA may issue a Request for Information (RFI). Noncompliance with the RFI triggers a subpoena. Continued noncompliance can result in referral to the Department of Justice and potential civil action. Contractors doing business with the federal government face additional debarment exposure.

CIRCIA also establishes a Cyber Incident Review Office within CISA, tasked with analyzing reported data to identify trends, develop advisories, and improve national-level situational awareness. This office connects directly to CISA's broader mandate under the CISA overview framework and interacts with the broader US cybersecurity regulatory framework.

Importantly, reports submitted under CIRCIA are protected from disclosure under the Freedom of Information Act (FOIA), cannot be used as evidence in regulatory enforcement actions outside of CIRCIA itself, and are shielded from use in private civil litigation — protections Congress included to encourage timely and complete reporting.

Common scenarios

CIRCIA reporting obligations are triggered across a range of operational contexts affecting critical infrastructure protection sectors:

• Ransomware attack on a hospital system — A regional hospital network experiences ransomware encryption of electronic health record systems. Both the covered cyber incident report (within 72 hours) and, if a ransom is paid, a ransom payment report (within 24 hours of payment) are required. This scenario intersects with healthcare cybersecurity obligations under HIPAA.

• Intrusion into an electric utility's operational technology network — A threat actor gains persistent access to industrial control systems. Even without confirmed data exfiltration, the unauthorized access to OT/ICS systems triggers reporting under CIRCIA's substantial incident criteria, alongside NERC CIP obligations. See also OT/ICS cybersecurity.

• Supply chain compromise affecting a defense contractor — A software update from a third-party vendor introduces malicious code into a contractor's environment. This scenario implicates CIRCIA reporting, supply chain cybersecurity risks, and potentially Cybersecurity Maturity Model Certification (CMMC) obligations.

• Distributed denial-of-service attack on a financial institution — A sustained DDoS attack disrupts transaction processing at a federally regulated bank. The disruption threshold, once defined in regulation, will determine whether this qualifies as a covered cyber incident under CIRCIA or is addressed solely through existing financial sector reporting channels.

Decision boundaries

Determining whether CIRCIA applies to a specific organization or incident requires navigating intersecting criteria that the final rule will clarify. The key decision boundaries include:

Covered entity vs. non-covered entity
The NPRM proposes classifying covered entities based on sector membership and size thresholds. Small businesses below defined employee or revenue thresholds may be exempt, though the thresholds vary by sector. Federal agencies are not covered entities under CIRCIA; they report under FISMA and related frameworks.

Covered cyber incident vs. minor incident
Not every security event triggers CIRCIA. The statute limits obligations to "substantial" incidents. The NPRM proposes qualitative criteria — including impact on confidentiality, integrity, or availability of critical systems — rather than purely quantitative thresholds. A phishing attempt that is blocked before system access does not trigger reporting; a confirmed intrusion into production operational systems does.

CIRCIA vs. existing sector-specific reporting
CIRCIA is explicitly designed to harmonize with, not eliminate, pre-existing reporting obligations. For example, banks subject to the OCC/Federal Reserve/FDIC joint rule requiring notification within 36 hours of a computer-security incident (12 CFR Part 53) must comply with both regimes on separate timelines. CIRCIA's NPRM includes a "substantially similar" exemption that may allow reports filed with SRMAs to satisfy CIRCIA requirements if the content meets CISA's standards — but this exemption has not yet been finalized.

Ransom payment reporting vs. covered incident reporting
These are independent obligations. A ransom payment triggers the 24-hour reporting requirement regardless of whether the underlying ransomware event meets the covered cyber incident threshold. An organization could theoretically owe a ransom payment report without owing a covered incident report — though in practice, ransomware attacks affecting critical systems will typically satisfy both thresholds. The ransomware national impact landscape makes this distinction operationally significant.

References

• CIRCIA — CISA Official Page
• Public Law 117-103 (Consolidated Appropriations Act of 2022, Division Y)
• CIRCIA Notice of Proposed Rulemaking — Federal Register (March 2024)
• Presidential Policy Directive 21 — Critical Infrastructure Security and Resilience
• CISA — Cybersecurity and Infrastructure Security Agency
• NERC CIP Standards
• OCC/Federal Reserve/FDIC Computer-Security Incident Notification Rule — 12 CFR Part 53
• NIST Cybersecurity Framework
• HHS HIPAA Security Rule