CISA will host public meetings amid pressure to quickly finalize the CIRCIA rules and calls to address widespread critiques of the draft regulations.
The Cybersecurity and Infrastructure Security Agency is restarting public engagements on delayed cyber incident reporting rules that will likely cover tens of thousands of critical infrastructure organizations.
The meetings come as CISA faces pressure to issue the final regulations quickly, while some lawmakers and industry groups also want the agency to amend the draft rules to be less broad and burdensome.
Starting Monday, CISA will host a series of virtual town halls to get feedback on the draft regulations to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The meetings will run through Wednesday.
CISA had initially planned to host the meetings this spring, but they were delayed due to the partial government shutdown.
Earn CPE credit: The latest webinar from the Billington CyberSecurity Cyber and AI Outlook Series will focus on the real-world risks facing AI deployments across the federal landscape. Register now!
During a keynote address at a June 9 conference hosted by Axonius in Washington, acting CISA Director Nick Andersen said CIRCIA reporting will be part of a “nationwide shift” in how government measures cyber risks and threats.
“We need your substantive feedback to be able to make that as good as it can be,” Andersen said.
The reporting rules will apply across 16 critical infrastructure sectors, ranging from electric utilities and water systems to hospitals and chemical facilities. Under the regulations, covered entities will have to report cyber incidents to CISA within 72 hours and ransomware payments within 24 hours.
Congress passed the law in reaction to escalating cyber attacks targeting critical infrastructure, most notably the 2021 Colonial Pipeline ransomware incident.
CISA says the incident reports will allow it to “rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”
But 2024 draft CIRCIA regulations issued under the Biden administration have received pushback for being overly broad, covering an estimated 300,000 entities, and ambiguous in how they define a cyber incident that requires reporting to CISA.
The rules have also been criticized for conflicting with dozens of sector-specific cyber reporting regulations. Officials have said CISA will establish information-sharing agreements with other agencies to reduce overlap, but there have been few details regarding progress on those agreements.
Sign up for our daily newsletter so you never miss a beat on all things federal
Last year, the Trump administration stalled implementation of the rules to get additional feedback.
During a June 10 event hosted by the Homeland Security Defense Forum in Washington, House Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.) said he was glad the administration ultimately delayed CIRCIA. He called the draft rules “not good.”
“We were so happy to get done and then all of a sudden, it’s not what we what we intended,” Garbarino said. “So making sure that it is what we intended … because there were so many reporting regulations out there. We wanted this to be the one, not just one another one. So getting it done right is very important to me.”
But other lawmakers are pressing CISA to quickly finalize the rule.
In their report on the fiscal 2027 homeland security spending bill, lawmakers on the GOP-led House Appropriations Committee wrote that the panel is “concerned about delays in publishing the final CIRCIA rule and urged CISA to finalize it promptly following stakeholder review and feedback.”
The report directs CISA to brief the committee on its CIRCIA plans as part of quarterly budget and staffing briefings.
In response to a question from a reporter following his keynote at Axonius, Andersen said he doesn’t have a specific deadline in mind for finalizing CIRCIA.
“I don’t want to presuppose the amount and the types of comments that we’re going to get coming out of the town halls,” Andersen said. “We could have a lot of comments that come to us and really radically change our way of thinking about what the need is here, but our focus is just on what’s the original congressional intent behind CIRCIA. What is the greatest need that we’re going to be able to serve, and how it’s going to be able to further the mission that we have for the nation, but right now, I don’t have a particular date to give you for finalization.”
The regulations are the first that CISA has developed. The cyber agency, created in 2018, has primarily relied on voluntary partnerships with the private sector.
Read more: Cybersecurity
Another key question is how readily and effectively CISA will be able to process numerous cyber incident reports from across sectors.
CISA’s fiscal 2027 budget request details how the agency is creating an “unclassified ticketing system with role-based access controls” to help manage CIRCIA. The system will allow for “integration with other tools in a unified ecosystem, preparing CISA to securely receive, aggregate, analyze, enrich, and share information from reports,” the budget request states.
CISA is also creating a new “front-facing web portal” for entities to submit CIRCIA reports, according to the budget request.
Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED
CISA revives push toward long-awaited cyber incident reporting rules – Federal News Network
Leave a Comment
