Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marked an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

Rulemaking Process

Some of CISA’s authorities under CIRCIA are regulatory in nature and require CISA to complete mandatory rulemaking activities before the reporting requirements go into effect. CISA developed a Notice of Proposed Rulemaking (NPRM), which was published on April 4, 2024 in the Federal Register and was open for public comment until July 3. The NPRM is available at www.federalregister.gov.  The public comments submitted in response to the NPRM have been posted to the rulemaking docket on regulations.gov and can be found searching for CISA-2022-0010-0163.   

CISA consulted with various entities throughout the rulemaking process for the NPRM, including Sector Risk Management Agencies, the Department of Justice, other appropriate Federal agencies, and the DHS-chaired Cyber Incident Reporting Council. CISA has also consulted with various non-federal stakeholders throughout the rulemaking process. CISA will review and consider the comments received during the public comment period in developing the Final Rule, which CISA is required to publish 18 months after the publication of the NPRM. 

Frequently Asked Questions (FAQs)

CIRCIA FAQs

Voluntary Sharing of Information about Cyber Incidents

While covered cyber incident and ransomware payment reporting under CIRCIA will not be required until the CIRCIA Final Rule goes into effect, CISA encourages all entities to voluntarily share with CISA information on cyber incidents prior to the effective date of the Final Rule. 

When information about cyber incidents is shared quickly, CISA can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.

CISA encourages all organizations to share information about unusual cyber activity and/or cyber incidents via cisa.gov/report.

Background on CIRCIA

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marked an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report to CISA covered cyber incidents and ransom payments. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

Cyber Incident Reporting Initiatives 

CIRCIA includes a number of requirements related to the required reporting and sharing of covered cyber incidents, including the following:

• Cyber Incident Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents no later than 72 hours from the time the entity reasonably believes the incident occurred. CISA’s proposed regulations that would implement this requirement are reflected in the CIRCIA NPRM.
• Federal Cyber Incident Report Sharing: Any federal agency, including independent establishments, receiving a report on a cyber incident after the effective date of the Final Rule must share that report with CISA no later than 24 hours. Similarly, after the effective date of the Final Rule, CISA will also have to make information received under CIRCIA, including reports received from other federal agencies, available to appropriate federal agencies within 24 hours.
• Cyber Incident Reporting Council: DHS was required to establish and Chair an intergovernmental Cyber Incident Reporting Council (Council) to coordinate, deconflict, and harmonize federal incident reporting requirements. On September 19, 2023, DHS delivered to Congress a report, informed by the work of the CIRC, entitled “Harmonization of Cyber Incident Reporting to the Federal Government.”

Ransomware Initiatives 

CIRCIA additionally authorizes or requires a number of initiatives related to defending against ransomware, to include the following:

• Ransom Payment Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments made as a result of a ransomware attack. CISA must share such reports with federal agencies, similar to above. CISA’s proposed regulations that would implement this requirement are reflected in the CIRCIA NPRM.
• Ransomware Vulnerability Warning Pilot (RVWP) Program: On January 30, 2023, CISA established the RVWP, leveraging existing authorities and technology to identify systems with vulnerabilities commonly associated with known ransomware exploitation and warn entities of those vulnerabilities, thus enabling timely mitigation before damaging intrusions occur. 
• Joint Ransomware Task Force: Since 2022, CISA and the Federal Bureau of Investigation (FBI) have led the Joint Ransomware Task Force (JRTF), an interagency body established to unify and strengthen efforts against the ongoing threat of ransomware. The JRTF continues its work to accelerate progress and work closely across the cybersecurity community on several activities to include victim support, partner engagement, intelligence integration, and campaign coordination. 

Implementing CIRCIA's Reporting Requirement 

• Some of CISA’s authorities under CIRCIA are regulatory in nature and require CISA to complete rulemaking activities before the reporting requirements go into effect.
• As part of the rulemaking process, CIRCIA required CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the enactment of CIRCIA, and to issue a Final Rule setting forth the regulatory requirements within 18 months of the publication of the NPRM.
  
  • The NPRM was published in the Federal Register and became open for public comment on April 4, 2024 and the comment period closed on July 3, 2024.
  • The NPRM is available here.
  • The public comments submitted in response to the NPRM have been posted to the rulemaking docket on regulations.gov and can be found searching for CISA-2022-0010-0163.  
• Consistent with statutory requirements, CISA consulted with various entities throughout the rulemaking process for the NPRM, including Sector Risk Management Agencies (SRMAs), the Department of Justice (DOJ), other appropriate Federal agencies, and the DHS-led CIRC in developing the NPRM.
• To ensure that the proposed rule benefited from the perspective of our broad partner community, beginning in September 2022, CISA published a Request for Information (RFI), hosted 10 in-person public listening sessions across the country, and conducted virtual, sector-specific listening sessions. These mechanisms provided opportunities for stakeholders to provide CISA with their perspectives on potential aspects of the proposed regulation prior to publication of the NPRM.
• CISA also hosted virtual, sector-specific listening sessions with each of the 16 critical infrastructure sectors and with the Aviation Subsector.
• CISA is grateful to the hundreds of individuals, groups, and organizations who attended the in-person and virtual listening sessions and submitted written comments in response to the RFI and NPRM. 
• CISA is reviewing and adjudicating comments received in response to the NPRM. This work will continue as we work through the thorough and deliberative process of implementing CIRCIA consistent with authorities given to us by Congress in the Final Rule.
• Following publication of the Final Rule, CISA will engage with the public and stakeholder community to educate and inform stakeholders on the details of the Final Rule.
• This engagement is part of CISA’s continued effort to foster transparency, collaboration, and partnership with directly affected stakeholders and the general public.

Sharing Information with CISA About Cyber Incidents or Ransom Payments 

• Until the effective date of the Final Rule, organizations are not required to submit covered cyber incident or ransom payment reports under CIRCIA.
• However, CISA strongly encourages organizations to continue voluntarily sharing cyber event information with CISA throughout the rulemaking period prior to the Final Rule’s effective date.
• When information about cyber incidents is shared quickly, we can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.