Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium Businesses
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    CISA Administrative Subpoena
    Reporting Employee and Contractor Misconduct
    CISA GitHub
    Signature Verification
    Subpoena Process
Report a Cyber Issue
Breadcrumb
  1. Home
  2. Topics
  3. Cyber Threats and Advisories
  4. Information Sharing
Share:

Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)

Report a Cyber Issue
Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to report@cisa.gov or (888) 282-0870.

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.  These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

Rulemaking Process

These new authorities are regulatory in nature and require CISA to complete mandatory rulemaking activities before the reporting requirements go into effect. CIRCIA requires CISA to develop and publish a Notice of Proposed Rulemaking (NPRM), which will be open for public comment, and a Final Rule. CIRCIA also mandates that CISA consult with various entities throughout the rulemaking process, including Sector Risk Management Agencies, the Department of Justice, other appropriate Federal agencies, and a soon-to-be formed, DHS-chaired Cyber Incident Reporting Council. This work is already underway.

CISA is committed to receiving inputs into the NPRM from other stakeholders as well, such as critical infrastructure owners and operators and other members of the potentially regulated community, while maintaining the rulemaking schedule required by statute.  

Voluntary Sharing of Information about Cyber Incidents

While covered cyber incident and ransomware payment reporting under CIRCIA will not be required until the Final Rule implementing CIRCIA’s reporting requirements goes into effect, CISA encourages critical infrastructure owners and operators to voluntarily share with CISA information on cyber incidents prior to the effective date of the final rule. 

When information about cyber incidents is shared quickly, CISA can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.

CISA encourages all organizations to share information about unusual cyber activity and/or cyber incidents 24/7 via report@cisa.gov or (888) 282-0870.  To learn more about how Observe, Act, and Report cyber incidents, view our fact sheet on Sharing Cyber Event Information.

Sharing Cyber Event Information Fact Sheet (PDF, 199.32 KB )

Additional Resources

Cyber Incident Reporting for Critical Infrastructure Act of 2022 Publication

PUBLICATION
Download File (PDF, 149.47 KB)

Cyber Incident Reporting for Critical Infrastructure Act of 2022 Fact Sheet

PUBLICATION
Download File (PDF, 302.05 KB)

StopRansomware.gov

OTHER
StopRansomware.gov

Ransomware Vulnerability Warning Pilot (RVWP) Fact Sheet

MAR 13, 2023 |

Background and Facts About CIRCIA 

Background

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report to CISA covered cyber incidents and ransom payments. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

Cyber Incident Reporting Initiatives 

CIRCIA includes a number of requirements related to the required reporting and sharing of covered cyber incidents, to include the following:

  • Cyber Incident Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
  • Federal Incident Report Sharing: Any federal entity receiving a report on a cyber incident after the effective date of the final rule must share that report with CISA within 24 hours. CISA will also have to make information received under CIRCIA available to certain federal agencies within 24 hours.
  • Cyber Incident Reporting Council: DHS must establish and Chair an intergovernmental Cyber Incident Reporting Council (Council) to coordinate, deconflict, and harmonize federal incident reporting requirements.

Ransomware Initiatives 

CIRCIA additionally authorizes or requires a number of initiatives related to combatting ransomware, to include the following:

  • Ransom Payment Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments made as a result of a ransomware attack. CISA must share such reports with federal agencies, similar to above.
  • Ransomware Vulnerability Warning Pilot Program: On January 30, 2023, CISA established a pilot that identifies vulnerabilities commonly associated with known ransomware exploitation and warns critical infrastructure entities of those vulnerabilities, thus enabling timely mitigation before damaging intrusions occur. 
  • Joint Ransomware Task Force: CISA has announced the launch of the Joint Ransomware Task Force in accordance with the statute to build on the important work that has already begun to coordinate an ongoing nationwide campaign against ransomware attacks. CISA will continue working closely with the Federal Bureau of Investigation and the National Cyber Director to build the task force.

Implementing CIRCIA's Reporting Requirement 

  • Some of the new authorities are regulatory in nature and require CISA to complete rulemaking activities before the reporting requirements go into effect.
  • As part of the rulemaking process, CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the enactment of CIRCIA, and to issue a Final Rule setting forth the regulatory requirements within 18 months of the publication of the NPRM.
  • CIRCIA also mandates that CISA consult with various entities throughout the rulemaking process, including Sector Risk Management Agencies (SRMAs), the Department of Justice (DOJ), other appropriate Federal agencies, and the Council.
  • As CISA wants to ensure that the proposed rule benefits from the perspectives of our broad partner community, CISA will also be publishing a Request for Information later this year in the Federal Register and will also be hosting a series of listening sessions where stakeholders will be able to provide thoughts on the statutory requirements directly to members of CISA.

Sharing Information with CISA About Cyber Incidents or Ransom Payments 

  • Until the effective date of the Final Rule, organizations are not required to submit cyber incident or ransom payment reports under CIRCIA.
  • However, CISA strongly encourages organizations to continue voluntarily sharing cyber event information with CISA throughout the rulemaking period prior to the Final Rule’s effective date.
  • When information about cyber incidents is shared quickly, we can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.

Share Information About a Cyber Incident

Organizations can share information about unusual cyber activity and/or cyber incidents to report@cisa.gov or (888) 282-0870.

Report an incident

Frequently Asked Questions (FAQ)

Q. What is CISA required to do under CIRCIA to implement the reporting requirement?

  • Some of the new authorities are regulatory in nature and require CISA to complete rulemaking activities before the reporting requirements go into effect.
  • Specifically, the law requires that CISA develop and publish a Notice of Proposed Rulemaking (NPRM), which will be open for public comment, and a Final Rule.
  • CIRCIA also mandates that CISA consult with various entities throughout the rulemaking process, including Sector Risk Management Agencies (SRMA), the Department of Justice (DOJ), other appropriate Federal agencies, and a soon-to-be formed U.S. Department of Homeland Security (DHS)-chaired Cyber Incident Reporting Council. CISA is working to complete these activities within the statutorily mandated timeframes.

Q. Am I now required to submit reports of cyber incidents or ransomware payments to CISA?  If not now, when will this requirement go into effect? 

  • Organizations are not required to submit cyber incident or ransomware payment reports under CIRCIA until the yet-to-be-determined effective date of the Final Rule. 
  • Nevertheless, CISA strongly encourages organizations to continue voluntarily sharing cyber event information with CISA throughout the rulemaking period prior to the Final Rule’s effective date. 
  • When information about cyber incidents is shared quickly, we can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.
  • Organizations can report unusual cyber activity and/or cyber incidents to report@cisa.gov or (888) 282-0870.

Q. How long is the rulemaking process going to take? 

  • CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the enactment of CIRCIA, and to issue a Final Rule setting forth the regulatory requirements within 18 months of the publication of the NPRM.

Q. I have some ideas on how reports should be made.  How can I contribute to the development of the rule? 

  • All members of the public will have the opportunity to review and provide comments on the Notice of Proposed Rulemaking, which is required to be published no later than March 2024.
  • CISA  also plans to release a Request for Information (RFI) and host a series of listening sessions through which stakeholders will be able to provide CISA with their perspectives on various aspects of CIRCIA’s future regulations. CISA will share more information on both the RFI and listening sessions as becomes available.  

Q. My [council, company, organization, etc.] is interested in receiving a briefing on and/or discussing CIRCIA with CISA.  How can I schedule a briefing/meeting? 

  • All members of the public will have the opportunity to review and provide comments on the Notice of Proposed Rulemaking, which is required to be published no later than March 2024.
  • CISA also plans to release a Request for Information (RFI) and host a series of listening sessions through which stakeholders will be able to provide CISA with their perspectives on various aspects of CIRCIA’s future regulations.  CISA will share more information on both the RFI and listening sessions as it becomes available.  

For Media Inquiries

For media inquiries, please contact CISA Media at CISAMedia@cisa.dhs.gov.

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • The White House
  • USA.gov
  • Website Feedback