Connect with us

Hi, what are you looking for?



CISA Moving Forward With Cyber Incident Reporting Rules Impacting 316,000 Entities

CISA is seeking comment on the implementation of CIRCIA, which will cost $2.6 billion and will impact 316,000 entities.

Government data leak

The US Cybersecurity and Infrastructure Security Agency (CISA) is seeking input on the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which is estimated to impact as many as 316,000 entities.

President Biden signed CIRCIA into law in March 2022. CISA has since been working on its implementation, collaborating with the public and private sectors, as well as the critical infrastructure community. 

The cybersecurity agency on Wednesday announced a notice of proposed rulemaking (NPRM), asking the public to submit written comments on the proposal over a period of 60 days starting on April 4. 

“CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents, and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors,” said Secretary of Homeland Security Alejandro Mayorkas. 

CISA estimates that the proposed rules’ costs will total $2.6 billion over a period of 11 years. The agency said roughly 316,000 entities are potentially impacted and it expects to receive more than 210,000 CIRCIA reports, or approximately 25,000 reports per year starting in 2026.  

CISA recently requested $116 million for the CIRCIA program for fiscal year 2025, which it will use for staffing, processes, and technology. 

CIRCIA requires covered entities to inform CISA of significant cyber incidents within 72 hours and of ransomware payments within 24 hours of the payment being made. 

In addition to reporting requirements, CIRCIA has led to the creation of the Joint Ransomware Task Force (JRTF) and the Ransomware Vulnerability Warning Pilot (RVWP) Program, whose goal is to warn critical infrastructure organizations whose systems contain vulnerabilities that could be exploited by ransomware groups.

Advertisement. Scroll to continue reading.

“[CIRCIA] will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats. We look forward to additional feedback from the critical infrastructure community as we move towards developing the Final Rule,” said CISA Director Jen Easterly. 

Related: How to Align Your Incident Response Practices With the New SEC Disclosure Rules

Related: DHS Publishes New Recommendations on Cyber Incident Reporting

Related: White House Budget Proposal Seeks Cybersecurity Funding Boost 

Related: US Lawmakers Introduce Farm and Food Cybersecurity Act

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.

Cloud Security

Redmond is accused of “negligent cybersecurity practices” that enabled a successful Chinese hack of the United States government.


NIST releases Cybersecurity Framework 2.0, the first major update since the creation of the CSF a decade ago.


CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...