Cyber Incident Reporting Requirements in the US
Federal and state-level mandates governing cyber incident reporting have expanded substantially across critical infrastructure sectors, financial institutions, healthcare organizations, and federal contractors. This page describes the regulatory landscape, the structural mechanics of reporting obligations, the categories of incidents that trigger mandatory disclosure, and the decision criteria that determine which framework applies to a given organization. Noncompliance with these obligations carries enforceable penalties across multiple agency jurisdictions.
Definition and scope
Cyber incident reporting requirements are legally binding obligations imposed on organizations to notify designated government bodies, regulators, or affected parties when a qualifying cybersecurity event occurs. These obligations are not uniform — they vary by sector, organization type, incident severity, and the nature of data or systems affected.
The scope of these mandates in the US spans at minimum four distinct regulatory regimes:
-
CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022) — Administered by the Cybersecurity and Infrastructure Security Agency (CISA), CIRCIA establishes a forthcoming federal standard requiring covered critical infrastructure entities to report significant cyber incidents within 72 hours and ransomware payments within 24 hours. Final rulemaking is being developed under CISA's authority per 6 U.S.C. § 681b.
-
HIPAA Security Rule and Breach Notification Rule — Administered by the Department of Health and Human Services (HHS Office for Civil Rights), these rules require covered entities and business associates to notify HHS, affected individuals, and in breaches involving 500 or more residents of a state, prominent local media outlets, within 60 days of discovery.
-
SEC Cybersecurity Disclosure Rules — The Securities and Exchange Commission's final rule (Release No. 33-11216) requires publicly traded companies to disclose material cybersecurity incidents on Form 8-K in a timely manner of determining materiality.
-
FISMA (Federal Information Security Modernization Act) — Federal agencies and their contractors operate under FISMA, which mandates incident reporting to the agency's Inspector General and to the Office of Management and Budget (OMB) via US-CERT/CISA within one hour for highest-severity incidents.
State-level breach notification laws — present in all 50 states — add a parallel layer of obligations for consumer-facing personal data breaches, with timelines ranging from 30 to 90 days depending on jurisdiction.
How it works
Reporting obligations are typically triggered by the detection of a qualifying event and follow a defined sequence of phases regardless of the governing framework:
-
Detection and initial triage — The organization identifies an anomaly or confirmed breach. Internal security operations or an incident response team classifies the event against pre-defined severity thresholds.
-
Threshold determination — The organization evaluates whether the incident meets the legal definition of a reportable event under each applicable regime. Under HIPAA, this involves applying the four-factor harm assessment established in 45 CFR § 164.402. Under CIRCIA, the assessment focuses on whether critical infrastructure operations were materially disrupted.
-
Notification preparation — Organizations compile incident details: attack vector, systems affected, estimated scope of data involved, and mitigation steps taken. SEC rules require disclosure of the material aspects without compromising ongoing law enforcement investigations.
-
Submission to designated bodies — Reports are filed through official channels: CISA's reporting portal, HHS's breach reporting tool, SEC's EDGAR system, or US-CERT's incident reporting form (us-cert.cisa.gov).
-
Post-incident follow-up — Supplemental reports, updated findings, and remediation documentation may be required. CIRCIA contemplates a supplemental report mechanism following the initial 72-hour submission.
Professionals navigating these obligations are documented across the security providers on this reference network.
Common scenarios
Distinct incident types map to distinct reporting obligations:
-
Ransomware attack on a hospital system — Triggers HIPAA breach notification if patient data was accessed or exfiltrated, CIRCIA reporting as healthcare is a designated critical infrastructure sector, and potentially state breach notification laws for all affected patient states.
-
Data breach at a publicly traded fintech company — Triggers SEC Form 8-K disclosure in a timely manner of materiality determination, Financial Industry Regulatory Authority (FINRA) incident disclosure obligations, and state breach notification requirements for affected consumers.
-
Federal contractor network intrusion — Triggers FISMA reporting obligations, and where the contractor holds a Defense Federal Acquisition Regulation Supplement (DFARS) contract (specifically DFARS 252.204-7012), reporting to the Department of Defense Cyber Crime Center (DC3) within 72 hours is mandatory.
-
Operational technology disruption at an energy utility — Triggers reporting to the North American Electric Reliability Corporation under NERC CIP-008-6, which establishes 1-hour notification windows for certain Bulk Electric System cyber security incidents.
The security provider network purpose and scope page describes how the service sector covering incident response and compliance is organized across this reference network.
Decision boundaries
The critical distinctions determining which framework applies — and when — rest on four variables:
| Variable | Determining factor |
|---|---|
| Sector classification | Is the organization a covered critical infrastructure sector under CIRCIA's 16 designated sectors (CISA sector list)? |
| Data type | Does the breach involve protected health information (PHI), personally identifiable information (PII), or financial data? |
| Entity type | Is the organization a federal agency, federal contractor, publicly traded company, or private enterprise? |
| Incident nature | Was there unauthorized access, data exfiltration, ransomware deployment, or operational disruption? |
CIRCIA vs. HIPAA — CIRCIA applies to the organization as critical infrastructure operator; HIPAA applies to the same organization as a healthcare data custodian. Both obligations may apply simultaneously and do not substitute for one another.
State law vs. federal law — Federal reporting to CISA or HHS does not preempt state breach notification obligations. Organizations operating across state lines may face concurrent notification timelines to 50 separate state attorneys general.
Firms providing incident response, compliance consulting, and breach notification services are verified through the how to use this security resource reference page.