Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.  These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

Rulemaking Process

These new authorities are regulatory in nature and require CISA to complete mandatory rulemaking activities before the reporting requirements go into effect. CIRCIA requires CISA to develop and publish a Notice of Proposed Rulemaking (NPRM), which will be open for public comment, and a Final Rule. CIRCIA also mandates that CISA consult with various entities throughout the rulemaking process, including Sector Risk Management Agencies, the Department of Justice, other appropriate Federal agencies, and a soon-to-be formed, DHS-chaired Cyber Incident Reporting Council. This work is already underway.

CISA is committed to receiving inputs into the NPRM from other stakeholders as well, such as critical infrastructure owners and operators and other members of the potentially regulated community, while maintaining the rulemaking schedule required by statute.  

Voluntary Sharing of Information about Cyber Incidents

While covered cyber incident and ransomware payment reporting under CIRCIA will not be required until the Final Rule implementing CIRCIA’s reporting requirements goes into effect, CISA encourages critical infrastructure owners and operators to voluntarily share with CISA information on cyber incidents prior to the effective date of the final rule. 

When information about cyber incidents is shared quickly, CISA can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.

CISA encourages all organizations to share information about unusual cyber activity and/or cyber incidents 24/7 via report@cisa.gov or (888) 282-0870.  To learn more about how Observe, Act, and Report cyber incidents, view our fact sheet on Sharing Cyber Event Information.

Background and Facts About CIRCIA 

Background

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report to CISA covered cyber incidents and ransom payments. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

Cyber Incident Reporting Initiatives 

CIRCIA includes a number of requirements related to the required reporting and sharing of covered cyber incidents, to include the following:

• Cyber Incident Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
• Federal Incident Report Sharing: Any federal entity receiving a report on a cyber incident after the effective date of the final rule must share that report with CISA within 24 hours. CISA will also have to make information received under CIRCIA available to certain federal agencies within 24 hours.
• Cyber Incident Reporting Council: DHS must establish and Chair an intergovernmental Cyber Incident Reporting Council (Council) to coordinate, deconflict, and harmonize federal incident reporting requirements.

Ransomware Initiatives 

CIRCIA additionally authorizes or requires a number of initiatives related to combatting ransomware, to include the following:

• Ransom Payment Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments made as a result of a ransomware attack. CISA must share such reports with federal agencies, similar to above.
• Ransomware Vulnerability Warning Pilot Program: On January 30, 2023, CISA established a pilot that identifies vulnerabilities commonly associated with known ransomware exploitation and warns critical infrastructure entities of those vulnerabilities, thus enabling timely mitigation before damaging intrusions occur. 
• Joint Ransomware Task Force: CISA has announced the launch of the Joint Ransomware Task Force in accordance with the statute to build on the important work that has already begun to coordinate an ongoing nationwide campaign against ransomware attacks. CISA will continue working closely with the Federal Bureau of Investigation and the National Cyber Director to build the task force.

Implementing CIRCIA's Reporting Requirement 

• Some of the new authorities are regulatory in nature and require CISA to complete rulemaking activities before the reporting requirements go into effect.
• As part of the rulemaking process, CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the enactment of CIRCIA, and to issue a Final Rule setting forth the regulatory requirements within 18 months of the publication of the NPRM.
• CIRCIA also mandates that CISA consult with various entities throughout the rulemaking process, including Sector Risk Management Agencies (SRMAs), the Department of Justice (DOJ), other appropriate Federal agencies, and the Council.
• As CISA wants to ensure that the proposed rule benefits from the perspectives of our broad partner community, CISA released a 60-day Request for Information (RFI) on September 12, 2022, that closed in mid-November 2022.
• Individuals were able to submit written comments on potential aspects of the CIRCIA regulations in response to CISA's RFI via the Federal eRulemaking Portal identified by docket number CISA-2022-0010.

• CISA also hosted 10 listening sessions across the country through which stakeholders provided CISA with their perspectives on potential aspects of the proposed regulation prior to publication of the NPRM.

• CISA is grateful to the over 150 individuals who attended the in-person public listening sessions, many of whom took the opportunity to provide CISA with their perspectives on the potential CIRCIA regulations, as well as the approximately 130 individuals and organizations who submitted written comments in response to the RFI. 

• With the listening sessions and RFI complete, CISA is now reviewing the hundreds of comments received as we start to develop a draft rule. Per the standard rulemaking process, CISA will continue to consult with Federal interagency partners on the draft prior to its publication. CIRCIA requires that CISA publish the draft NRPM before the end of March 2024.

• Listening Session Transcripts have been posted to regulations.gov and can be found searching for CISA-2022-0010.

Sharing Information with CISA About Cyber Incidents or Ransom Payments 

• Until the effective date of the Final Rule, organizations are not required to submit cyber incident or ransom payment reports under CIRCIA.
• However, CISA strongly encourages organizations to continue voluntarily sharing cyber event information with CISA throughout the rulemaking period prior to the Final Rule’s effective date.
• When information about cyber incidents is shared quickly, we can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.

Frequently Asked Questions (FAQ)

Q. What is CISA required to do under CIRCIA to implement the reporting requirement?

• Some of the new authorities are regulatory in nature and require CISA to complete rulemaking activities before the reporting requirements go into effect.
• Specifically, the law requires that CISA develop and publish a Notice of Proposed Rulemaking (NPRM), which will be open for public comment, and a Final Rule.
• CIRCIA also mandates that CISA consult with various entities throughout the rulemaking process, including Sector Risk Management Agencies (SRMA), the Department of Justice (DOJ), other appropriate Federal agencies, and a soon-to-be formed U.S. Department of Homeland Security (DHS)-chaired Cyber Incident Reporting Council. CISA is working to complete these activities within the statutorily mandated timeframes.

Q. Am I now required to submit reports of cyber incidents or ransomware payments to CISA?  If not now, when will this requirement go into effect? 

• Organizations are not required to submit cyber incident or ransomware payment reports under CIRCIA until the yet-to-be-determined effective date of the Final Rule. 
• Nevertheless, CISA strongly encourages organizations to continue voluntarily sharing cyber event information with CISA throughout the rulemaking period prior to the Final Rule’s effective date. 
• When information about cyber incidents is shared quickly, we can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.
• Organizations can report unusual cyber activity and/or cyber incidents to report@cisa.gov or (888) 282-0870.

Q. How long is the rulemaking process going to take? 

• CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the enactment of CIRCIA, and to issue a Final Rule setting forth the regulatory requirements within 18 months of the publication of the NPRM.

Q. I have some ideas on how reports should be made.  How can I contribute to the development of the rule? 

• All members of the public will have the opportunity to review and provide comments on the Notice of Proposed Rulemaking, which is required to be published no later than March 2024. 

Q. My [council, company, organization, etc.] is interested in receiving a briefing on and/or discussing CIRCIA with CISA.  How can I schedule a briefing/meeting? 

• All members of the public will have the opportunity to review and provide comments on the Notice of Proposed Rulemaking, which is required to be published no later than March 2024.