1670-AA04 202410 The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions 1670 Cybersecurity and Infrastructure Security Agency CISA 1600 Department of Homeland Security DHS Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements

The Cybersecurity and Infrastructure Security Agency (CISA) will finalize regulations to implement certain aspects of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  Specifically, CIRCIA directs CISA to develop and implement regulations requiring covered entities to submit reports to CISA regarding covered cyber incidents and ransom payments.  CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the date of enactment of CIRCIA as part of the process for developing these regulations.  CISA previously issued a Request for Information on September 12, 2022, and held a series of listening sessions seeking public input on potential aspects of the proposed regulation prior to publication of the NPRM. On April 4, 2024, CISA published the NPRM with a 60-day open comment period to solicit public feedback on the proposed regulations. On May 6, 2024, CISA extended the public comment period for an additional 30 days ending the comment period on July 3, 2024.

]]> Section 3(f)(1) Significant Previously Published in The Unified Agenda Final Rule Stage Yes No 6 CFR 226 6 U.S.C. 681 et seq. Statutory Final 10/04/2025 Final Rule Statutory NPRM 03/15/2024 Notice of Proposed Rulemaking Yes

The Cybersecurity Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) directs CISA to develop and implement regulations requiring covered entities to submit reports to CISA regarding covered cyber incidents and ransom payments.  CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the date of enactment of CIRCIA and to publish a final rule 18 months after publication of the NPRM.  CISA previously issued a Request for Information on September 12, 2022, and held a series of listening sessions seeking public input on potential aspects of the proposed regulation prior to publication of the NPRM.   

]]>

This regulation is statutorily mandated by 6 U.S.C. 681 et seq.

]]>

As CISA has already begun making investments to operationalize the CIRCIA program in anticipation of the publication of the Final Rule in 2025, the Preliminary RIA for the NPRM presents an 11-year period of analysis with government costs for the two years prior to publication of the CIRCIA Final Rule included in the total cost of the proposed rule. Based on the primary estimates for industry’s cost of $1,444.5 million, and an estimated Government cost of $1.175.3 million, CISA estimates an 11-year undiscounted combined cost to industry and government of $2.6 billion. Discounted at 2%, the estimated 11-year cost of this proposed rule is $2.4 billion, with an annualized cost of $244.6 million.

 

Qualitative benefits include (a) improved incident reporting and response and (b) improved cybersecurity posture through improved ability to prevent or mitigate events through information sharing, early warning, threat analysis, and incident response. The preservation of data and records in the aftermath of a Covered Cyber Incident serves a number of critical purposes, such as supporting the ability of (a) analysts and investigators to understand how a cyber incident was perpetrated and by whom and (b) law enforcement to capture and prosecute perpetrators of cyber incidents and recover ill-gotten proceeds from the criminal activity.

]]> NPRM 04/04/2024 89 FR 23644 NPRM Comment Period Extended 05/06/2024 89 FR 37141 NPRM Correction 06/03/2024 89 FR 47471 NPRM Comment Period End 06/03/2024 NPRM Comment Period Extended End 07/03/2024 Final Rule 10/00/2025 Undetermined Undetermined No https://www.regulations.gov https://www.regulations.gov No No Todd Klessman CIRCIA Rulemaking Team Lead 1670 Cybersecurity and Infrastructure Security Agency CISA 202 964-6869 circia@cisa.dhs.gov CISA - CHR Mailstop 0609, 1310 N Courthouse Road, Arlington VA 20598-0609