Report Cyber Incident Information to CISA

Help Strengthen Our Collective Defense

State, local, tribal and territorial (SLTT) governments are on the front lines of cybersecurity. Whether it’s a phishing email targeting a small-town clerk or ransomware disrupting a huge city’s emergency services, you see real threats every day.

According to Verizon’s 2025 Data Breach Investigations Report:

System intrusion figured into 65% of breaches by external actors

Ransomware figured into 44% of the total breaches they investigated

Phishing figured into 43% of the specifically public sector breaches they investigated

Exploitation of vulnerabilities is up 34% from the previous year

Reporting cyber incidents to CISA helps protect not just your organization, but others across the country. CISA can then analyze the threat, alert other SLTTs and partners and share actionable guidance to help prevent similar attacks. The sooner you report, the sooner CISA and others can act.

So please, report any cyber incident to CISA—even if you already have other reporting requirements—to help strengthen your and others’ cyber defenses.

What is cyber incident information sharing?

Cyber incident information sharing means reporting suspected or confirmed cyberattacks, system vulnerabilities or suspicious activity to CISA. In return, CISA shares threat intelligence, mitigation tips and technical assistance.

This sharing is bidirectional:

You share: Indicators of compromise, attack methods, timelines and system impacts

CISA shares: Alerts, threat bulletins, mitigation advice, protective measures and tools to reduce risk

Why does it matter for SLTTs?

SLTTs manage vital services—from 911 dispatch and emergency services to water treatment and public health. Yet many operate with limited cybersecurity resources, leaving them vulnerable to fast-moving and sophisticated cyber threats.

Many of these services fall under the nation’s critical infrastructure and a single breach could have cascading effects beyond one locality. For example, an attack on a city’s water treatment system or emergency dispatch center doesn’t just put data at risk; it can disrupt public health, safety and trust in government.

When you share incident information with CISA, you’re not just protecting your network. You’re helping defend interconnected infrastructure across your state, region and the nation.

Sharing incidents with CISA helps you:

Speed up response to current threats

Warn peers and prevent repeat attacks

Get federal expertise, tailored guidance and technical assistance

Contribute to national cyber defense

How to Report to CISA

You don’t need to wait for a major breach to share with CISA. Even suspected activity can be valuable.

Report incidents early—don’t wait until full investigation

Include relevant details like indicators of compromise (IOCs), system impacts and attacker behavior

Designate a point of contact on your IT or emergency management team

Ask for feedback—CISA can offer analysis and support

Use CISA's reporting tools (see links below)

Reporting cyber incidents to CISA helps you and your community respond faster, fix vulnerabilities smarter and stay ahead of evolving threats.

Reporting incidents to CISA doesn’t replace any other reporting obligations your organization may have—such as to state agencies, Fusion Centers or the FBI—but it helps ensure that your incident information contributes to broader national awareness and protects others.