The Cybersecurity and Infrastructure Security Agency (CISA) plans to finalize a cybersecurity incident reporting rule in September that would require critical infrastructure entities to report major cyber incidents directly to CISA, according to a regulation document published last week.
This rule finalizes regulations to implement certain aspects of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Specifically, CIRCIA directs CISA to develop and implement regulations requiring covered entities to submit reports to CISA regarding covered cyber incidents and ransom payments.
Under the law, critical infrastructure entities would be required to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours.
CISA published its notice of proposed rulemaking on April 4, 2024. According to the regulation document, the agency received significant public comments, many of which called for reducing the scope and burden of the proposed reporting requirements, improving alignment with other federal cyber incident reporting requirements, and clarifying key terms.
The agency said it is considering the public comments and examining options for the rulemaking.
Although the CIRCIA measure passed Congress in 2022, the final rule has faced repeated delays. CISA published its first procedural notice for the rule in April 2024 and missed the statutory deadline to finalize the regulation by October 2025.
Last month, the agency held additional stakeholder town halls to discuss the directive after a now-resolved Department of Homeland Security shutdown in the spring delayed the meetings.