An official website of the United States government
In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.
These new authorities are regulatory in nature and require CISA to complete mandatory rulemaking activities before the reporting requirements go into effect. CIRCIA requires CISA to develop and publish a Notice of Proposed Rulemaking (NPRM), which will be open for public comment, and a Final Rule. CIRCIA also mandates that CISA consult with various entities throughout the rulemaking process, including Sector Risk Management Agencies, the Department of Justice, other appropriate Federal agencies, and a soon-to-be formed, DHS-chaired Cyber Incident Reporting Council. This work is already underway.
CISA is committed to receiving inputs into the NPRM from other stakeholders as well, such as critical infrastructure owners and operators and other members of the potentially regulated community, while maintaining the rulemaking schedule required by statute.
While covered cyber incident and ransomware payment reporting under CIRCIA will not be required until the Final Rule implementing CIRCIA’s reporting requirements goes into effect, CISA encourages critical infrastructure owners and operators to voluntarily share with CISA information on cyber incidents prior to the effective date of the final rule.
When information about cyber incidents is shared quickly, CISA can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.
CISA encourages all organizations to share information about unusual cyber activity and/or cyber incidents 24/7 via report@cisa.gov or (888) 282-0870. To learn more about how Observe, Act, and Report cyber incidents, view our fact sheet on Sharing Cyber Event Information.
In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report to CISA covered cyber incidents and ransom payments. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.
CIRCIA includes a number of requirements related to the required reporting and sharing of covered cyber incidents, to include the following:
CIRCIA additionally authorizes or requires a number of initiatives related to combatting ransomware, to include the following:
Q. What is CISA required to do under CIRCIA to implement the reporting requirement?
Q. Am I now required to submit reports of cyber incidents or ransomware payments to CISA? If not now, when will this requirement go into effect?
Q. How long is the rulemaking process going to take?
Q. I have some ideas on how reports should be made. How can I contribute to the development of the rule?
Q. My [council, company, organization, etc.] is interested in receiving a briefing on and/or discussing CIRCIA with CISA. How can I schedule a briefing/meeting?
Q. I have a cyber incident I’d like to report. What is the best way to do that?
For media inquiries, please contact CISA Media at CISAMedia@cisa.dhs.gov.
Was this webpage helpful? Yes | Somewhat | No
Need CISA’s help but don’t know where to start? Contact the CISA Service desk.
