<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<REGINFO_RIN_DATA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" RUN_DATE="2026-07-06-04:00" xsi:noNamespaceSchemaLocation="https://www.reginfo.gov/public/xml/REGINFO_XML_Ver10262011.xsd">
    <RIN_INFO>
        <RIN>1670-AA04</RIN>
        <PUBLICATION>
            <PUBLICATION_ID>202510</PUBLICATION_ID>
            <PUBLICATION_TITLE>The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions</PUBLICATION_TITLE>
        </PUBLICATION>
        <AGENCY>
            <CODE>1670</CODE>
            <NAME>Cybersecurity and Infrastructure Security Agency</NAME>
            <ACRONYM>CISA</ACRONYM>
        </AGENCY>
        <PARENT_AGENCY>
            <CODE>1600</CODE>
            <NAME>Department of Homeland Security</NAME>
            <ACRONYM>DHS</ACRONYM>
        </PARENT_AGENCY>
        <RULE_TITLE>Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements</RULE_TITLE>
        <ABSTRACT><![CDATA[<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p>The Cybersecurity and Infrastructure Security Agency (CISA) will finalize regulations to implement certain aspects of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).&nbsp; Specifically, CIRCIA directs CISA to develop and implement regulations requiring covered entities to submit reports to CISA regarding covered cyber incidents and ransom payments.&nbsp; CISA published the NPRM on April 4, 2024. CISA received significant public comments on the proposed rule, many of which emphasized the need to reduce the scope and burden of the proposed reporting requirements, improve harmonization of CIRCIA with other federal cyber incident reporting requirements, and clarify terms. CISA is considering the public comments and examining options for the rulemaking. Additional information about this rulemaking is available at www.cisa.gov/circia.</p>
</body>
</html>]]></ABSTRACT>
        <PRIORITY_CATEGORY>Other Significant</PRIORITY_CATEGORY>
        <RIN_STATUS>Previously Published in The Unified Agenda</RIN_STATUS>
        <RULE_STAGE>Final Rule Stage</RULE_STAGE>
        <MAJOR>Yes</MAJOR>
        <UNFUNDED_MANDATE_LIST>
            <UNFUNDED_MANDATE>No</UNFUNDED_MANDATE>
        </UNFUNDED_MANDATE_LIST>
        <EO_13771_DESIGNATION>Fully or Partially Exempt</EO_13771_DESIGNATION>
        <CFR_LIST>
            <CFR>6 CFR 226</CFR>
        </CFR_LIST>
        <LEGAL_AUTHORITY_LIST>
            <LEGAL_AUTHORITY>6 U.S.C. 681 et seq.</LEGAL_AUTHORITY>
        </LEGAL_AUTHORITY_LIST>
        <LEGAL_DLINE_LIST>
            <LEGAL_DLINE_INFO>
                <DLINE_TYPE>Statutory</DLINE_TYPE>
                <DLINE_ACTION_STAGE>Final</DLINE_ACTION_STAGE>
                <DLINE_DATE>10/04/2025</DLINE_DATE>
                <DLINE_DESC>Final Rule</DLINE_DESC>
            </LEGAL_DLINE_INFO>
            <LEGAL_DLINE_INFO>
                <DLINE_TYPE>Statutory</DLINE_TYPE>
                <DLINE_ACTION_STAGE>NPRM</DLINE_ACTION_STAGE>
                <DLINE_DATE>03/15/2024</DLINE_DATE>
                <DLINE_DESC>Notice of Proposed Rulemaking</DLINE_DESC>
            </LEGAL_DLINE_INFO>
        </LEGAL_DLINE_LIST>
        <RPLAN_ENTRY>Yes</RPLAN_ENTRY>
        <RPLAN_INFO>
            <STMT_OF_NEED><![CDATA[<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p>Congress directed CISA to promulgate regulations requiring covered entities to report covered cyber incidents and ransom payments to CISA.</p>
</body>
</html>]]></STMT_OF_NEED>
            <LEGAL_BASIS><![CDATA[<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p>This regulation is statutorily mandated by 6 U.S.C.&nbsp;681 et seq.</p>
</body>
</html>]]></LEGAL_BASIS>
            <COSTS_AND_BENEFITS><![CDATA[<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p>CISA is continuing to assess the anticipated costs and benefits of the final rule.&nbsp;&nbsp;</p>
</body>
</html>]]></COSTS_AND_BENEFITS>
        </RPLAN_INFO>
        <TIMETABLE_LIST>
            <TIMETABLE>
                <TTBL_ACTION>NPRM</TTBL_ACTION>
                <TTBL_DATE>04/04/2024</TTBL_DATE>
                <FR_CITATION>89 FR 23644</FR_CITATION>
            </TIMETABLE>
            <TIMETABLE>
                <TTBL_ACTION>NPRM Comment Period Extended</TTBL_ACTION>
                <TTBL_DATE>05/06/2024</TTBL_DATE>
                <FR_CITATION>89 FR 37141</FR_CITATION>
            </TIMETABLE>
            <TIMETABLE>
                <TTBL_ACTION>NPRM Correction</TTBL_ACTION>
                <TTBL_DATE>06/03/2024</TTBL_DATE>
                <FR_CITATION>89 FR 47471</FR_CITATION>
            </TIMETABLE>
            <TIMETABLE>
                <TTBL_ACTION>NPRM Comment Period End</TTBL_ACTION>
                <TTBL_DATE>06/03/2024</TTBL_DATE>
            </TIMETABLE>
            <TIMETABLE>
                <TTBL_ACTION>NPRM Comment Period Extended End</TTBL_ACTION>
                <TTBL_DATE>07/03/2024</TTBL_DATE>
            </TIMETABLE>
            <TIMETABLE>
                <TTBL_ACTION>Final Rule</TTBL_ACTION>
                <TTBL_DATE>09/00/2026</TTBL_DATE>
            </TIMETABLE>
        </TIMETABLE_LIST>
        <RFA_REQUIRED>YES</RFA_REQUIRED>
        <SMALL_ENTITY_LIST>
            <SMALL_ENTITY>Businesses</SMALL_ENTITY>
            <SMALL_ENTITY>Governmental Jurisdictions</SMALL_ENTITY>
            <SMALL_ENTITY>Organizations</SMALL_ENTITY>
        </SMALL_ENTITY_LIST>
        <GOVT_LEVEL_LIST>
            <GOVT_LEVEL>Local</GOVT_LEVEL>
            <GOVT_LEVEL>State</GOVT_LEVEL>
            <GOVT_LEVEL>Tribal</GOVT_LEVEL>
        </GOVT_LEVEL_LIST>
        <FEDERALISM>No</FEDERALISM>
        <FURTHER_INFO_URL>https://www.regulations.gov</FURTHER_INFO_URL>
        <PUBLIC_COMMENT_URL>https://www.regulations.gov</PUBLIC_COMMENT_URL>
        <PRINT_PAPER>Yes</PRINT_PAPER>
        <INTERNATIONAL_INTEREST>No</INTERNATIONAL_INTEREST>
        <AGENCY_CONTACT_LIST>
            <CONTACT>
                <FIRST_NAME>Todd</FIRST_NAME>
                <LAST_NAME>Klessman</LAST_NAME>
                <TITLE>CIRCIA Rulemaking Team Lead</TITLE>
                <AGENCY>
                    <CODE>1670</CODE>
                    <NAME>Cybersecurity and Infrastructure Security Agency</NAME>
                    <ACRONYM>CISA</ACRONYM>
                </AGENCY>
                <PHONE>202 964-6869</PHONE>
                <EMAIL>circia@cisa.dhs.gov</EMAIL>
                <MAILING_ADDRESS>
                    <STREET_ADDRESS>CISA - WB2 Stop 0612, 4200 Wilson Blvd.,</STREET_ADDRESS>
                    <CITY>Arlington</CITY>
                    <STATE>VA</STATE>
                    <ZIP>20598-0612</ZIP>
                </MAILING_ADDRESS>
            </CONTACT>
        </AGENCY_CONTACT_LIST>
    </RIN_INFO>
</REGINFO_RIN_DATA>
