CIRCIA FAQs

Notice of Proposed Rulemaking

For use during the Public Comment Period

What is the CIRCIA Notice of Proposed Rulemaking (NPRM)?

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.  These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

As part of the rulemaking process, CIRCIA required that CISA develop and publish a Notice of Proposed Rulemaking (NPRM). The NPRM contains CISA’s proposed regulations for implementing the CIRCIA regulatory program, including the covered cyber incident and ransomware payment reporting requirements, as well as the rationale behind CISA’s proposed approach, alternatives considered by CISA, and other information to help stakeholders understand and consider the proposed regulations. Along with the NPRM, CISA has also published for public comment a CIRCIA Proposed Rulemaking Preliminary Regulatory Impact Analysis/Initial Regulatory Flexibility Analysis and a proposed CIRCIA Privacy and Civil Liberties Guidance document. 

Why is CISA publishing the NPRM? 

CIRCIA requires CISA to publish a Notice of Public Rulemaking in the Federal Register. Pursuant to the Administrative Procedure Act, NPRMs must be made available for public comment. Beyond simply complying with the minimum statutory requirement, CISA is committed to providing stakeholders from across the spectrum--including state/local/private sector stakeholders and members of the public—with the opportunity to provide ideas and perspectives during the CIRCIA rulemaking process, in a manner consistent with law. By publishing an NPRM, CISA is able to receive inputs from across the stakeholder community, which CISA can then consider as it develops the Final Rule.

Where can I find the NPRM? 

You can read the NPRM in the Federal Register. You can submit your comments on the NPRM as instructed in the NPRM on the Federal eRulemaking Portal. 

When is the NPRM open for comment and input? 

The 60-day public comment period began on April 4 and ends on June 3.

How can I provide feedback and comment on the NPRM?  

CISA is seeking written feedback on the draft NPRM during a 60-day public comment period, which began April 4 and ends June 3. You can submit your comments here, following the instructions provided in the NPRM available here.

Can I get an extension/ I missed the deadline, can I still submit?

The deadline to provide comments on the NPRM is on June 3. We do not anticipate granting extensions. 

How do I find other materials relevant to the CIRCIA rulemaking?

In addition to the NPRM text, you can review and provide comments on the draft CIRCIA Privacy and Civil Liberties Guidance document and the CIRCIA Proposed Rulemaking Preliminary Regulatory Impact Analysis/Initial Regulatory Flexibility Analysis (RIA). These items are available in the rulemaking “docket.” The full rulemaking docket (available here) also includes comments submitted to date by other stakeholders in response to the NPRM, as well as comments previously submitted in response to CISA’s September 2022 CIRCIA Request for Information and transcripts for all of the previously conducted CIRCIA listening sessions.

How do I find other comments submitted on the NPRM? 

Public comments will be added to the docket as they are submitted. If you would like to view comments submitted by other entities, those will be available to view here.

I want to talk to someone at CISA about the NPRM or I have questions about the CIRCIA rulemaking process, how do I do that?

To ensure fairness and transparency, CISA will not accept verbal feedback on the NPRM.  Therefore, we encourage all interested parties to submit written comments as instructed in the preamble of the NPRM available here. If you have questions about the rulemaking process, you may email them to CIRCIA@cisa.dhs.gov.

How did CISA solicit feedback during the NPRM development process?

While developing the NPRM, CISA sought feedback from an array of public and private sector stakeholders in an effort to effectively balance relevant considerations in implementing CIRCIA’s requirements. CISA published a request for information (RFI) in the Federal Register in September 2022; held in-person, public listening sessions around the country; conducted virtual, sector-specific listening sessions; and consulted with sector risk management agencies (SRMAs) and other relevant federal departments and agencies, all with the goal of receiving meaningful input from the full spectrum of potentially relevant stakeholders. CISA has considered this feedback when developing the proposals set forth in this NPRM.

What are the purposes of CIRCIA Regulations? 

By requiring Covered Entities to report Covered Cyber Incidents and Ransom Payments to CISA, the CIRCIA regulations will help improve the nation’s cybersecurity posture in various ways, such as by allowing CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and share that information with network defenders so that they may take actions as they deem necessary to present themselves from becoming victims of similar incidents. 

Now that the NPRM is published, does this mean that I am now required to report under CIRCIA?

No. CIRCIA’s regulatory requirements, including its reporting requirements, will not be effective until the Final Rule goes into effect. CIRCIA requires CISA to issue the Final Rule within 18 months after publication of the NPRM.  The published Final Rule will expressly identify its effective date. 

CISA encourages all organizations to voluntarily share with CISA information on cyber incidents prior to the effective date of the final rule, which can be done at cisa.gov/report.

Why is CISA providing only 60-days to provide comments on the NPRM? 

Per the statutory requirement provided by Congress, CISA only has 18 months from the date of publication of the NPRM to issue the final rule. CISA believes that a 60-day comment period provides stakeholders with adequate time to review and provide comments on the proposed rule while ensuring CISA has sufficient time complete the rulemaking process in the statutorily provided timeframe. CISA believes this timeframe is manageable in large part due to the extensive public engagement CISA has performed on the CIRCIA rulemaking effort to date, which includes publishing a Request for Information, hosting 10 in-person public listening sessions across the country, and conducting virtual, sector-specific listening sessions, all of which were designed to provide stakeholders with the opportunity to provide their perspectives on potential aspects of the proposed regulation prior to publication of the NPRM.