CIRCIA: Cyber Incident Reporting for Critical Infrastructure Act

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) established a federal mandate requiring covered critical infrastructure entities to report significant cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). Signed into law as part of the Consolidated Appropriations Act of 2022, CIRCIA represents the most significant expansion of mandatory federal cyber incident reporting in US history. The statute's implementing rulemaking — still in progress as of 2024 — will define the precise timelines, thresholds, and covered entity categories that shape compliance obligations across 16 critical infrastructure sectors.

Definition and scope

CIRCIA (Pub. L. 117-103, Division Y) applies to "covered entities" — organizations operating within critical infrastructure sectors designated under Presidential Policy Directive 21 (PPD-21). Those 16 sectors include energy, water and wastewater systems, healthcare and public health, transportation, financial services, communications, and information technology, among others.

Two distinct reporting obligations govern the statute:

  1. Covered Cyber Incident Reports — required within 72 hours of a covered entity reasonably believing a covered cyber incident has occurred.
  2. Ransom Payment Reports — required within 24 hours of a ransom payment being made following a ransomware attack.

The final definition of "covered entity" and "covered cyber incident" is being established through a Notice of Proposed Rulemaking (NPRM) process managed by CISA, with the NPRM published in April 2024 (CISA CIRCIA Rulemaking page). Small businesses as defined by the Small Business Administration are expected to receive an exemption from covered entity status under the final rule, though the precise size thresholds remain subject to the rulemaking.

The statute explicitly excludes federal agencies, which report cyber incidents under separate frameworks including the Federal Information Security Modernization Act (FISMA) and OMB Memorandum M-21-31.

How it works

CIRCIA's operational structure assigns CISA as the lead receiving agency for incident reports, with a mandate to share information with the FBI, the National Cyber Director, and sector-specific agencies (SSAs) such as the Department of Energy for the energy sector and the Department of Health and Human Services for the healthcare sector.

The reporting and coordination process follows a structured sequence:

  1. Incident identification — The covered entity determines whether a cyber incident meets the statutory definition of a "covered cyber incident," which centers on substantial impact to information systems or the confidentiality, integrity, or availability of data.
  2. 72-hour notification — A report is submitted to CISA containing entity identification, a description of the incident, the affected systems and data, and the tactics or techniques used where known.
  3. 24-hour ransom payment report — If a ransom payment has been made, a separate report is due within 24 hours, including the amount and form of payment and any technical indicators.
  4. Supplemental reporting — Covered entities must file supplemental reports when substantial new or different information becomes available, or when a covered cyber incident is ongoing for more than 30 days.
  5. CISA analysis and dissemination — CISA aggregates reports, produces anonymized threat intelligence, and shares actionable information with government partners and critical infrastructure owners through its existing information-sharing mechanisms.

CISA is also authorized under CIRCIA to issue subpoenas to entities that fail to report, and to refer noncompliant entities to the Department of Justice. The statute provides limited liability protections for entities that submit reports in good faith.

Common scenarios

Three scenarios account for the preponderance of anticipated reporting activity under CIRCIA:

Ransomware with payment — A water utility's operational technology network is encrypted by a ransomware group. The utility pays a ransom to restore operations. Under CIRCIA, both a covered cyber incident report (within 72 hours of reasonable belief of the incident) and a ransom payment report (within 24 hours of payment) are required. This is the most time-compressed dual-reporting scenario.

Network intrusion without ransomware — A financial services firm detects unauthorized access to a core banking system. No ransom is demanded, but the intrusion meets the "substantial impact" threshold. A single covered cyber incident report is required within 72 hours.

Supply chain compromise affecting a covered entity — A healthcare organization's third-party software vendor is compromised, and the malicious code affects the healthcare entity's systems. The healthcare entity — not the vendor — bears the CIRCIA reporting obligation if the vendor itself is not a covered entity in the same sector. This scenario highlights that CIRCIA's obligations attach to the covered entity experiencing the impact, not necessarily to the origin of the compromise.

Organizations navigating the security providers for incident response providers should account for whether those providers have documented CIRCIA report-preparation capabilities.

Decision boundaries

The two primary classification axes under CIRCIA are entity coverage and incident severity threshold.

Covered entity vs. non-covered entity: Organizations outside the 16 PPD-21 sectors, and those falling below anticipated small-business size thresholds, are not subject to mandatory CIRCIA reporting. Voluntary reporting to CISA remains available and encouraged under the statute.

Covered cyber incident vs. reportable threshold: Not every security event triggers CIRCIA. The rulemaking is expected to exclude routine security events, scans, and unsuccessful intrusion attempts. Events that cause or are reasonably likely to cause demonstrable impact to system confidentiality, integrity, or availability — particularly to operational continuity of critical infrastructure — are the target scope.

CIRCIA vs. existing state breach notification laws presents a separate boundary question. State laws such as California's data breach notification statute (Cal. Civ. Code § 1798.29) address consumer personal data disclosure obligations, while CIRCIA addresses operational security incidents regardless of personal data involvement. The two frameworks can be triggered simultaneously but serve distinct regulatory purposes.

The security provider network purpose and scope section of this resource describes how CIRCIA-regulated sectors map to the professional services landscape indexed here. Professionals and firms verified through security providers operating in covered sectors should treat CIRCIA reporting timelines as a baseline incident response planning requirement, not a post-incident consideration.

 ·   · 

References

Read Next

Cyber Incident Reporting Requirements in the US ANA › Professional Services Authority › National Cyber › National Security Cyber Incident Reporting Requirements in the US Federal and... Cybersecurity Information Sharing: ISACs and Federal Programs ANA › Professional Services Authority › National Cyber › National Security Cybersecurity Information Sharing: ISACs and Federal Programs... Security Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › National Security Security Network: Purpose and Scope The National Security...