View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DHS/CISA RIN: 1670-AA04 Publication ID: 2026 
Title: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements 
Abstract:

The Cybersecurity and Infrastructure Security Agency (CISA) will finalize regulations to implement certain aspects of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  Specifically, CIRCIA directs CISA to develop and implement regulations requiring covered entities to submit reports to CISA regarding covered cyber incidents and ransom payments.  CISA published the NPRM on April 4, 2024. CISA received significant public comments on the proposed rule, many of which emphasized the need to reduce the scope and burden of the proposed reporting requirements, improve harmonization of CIRCIA with other federal cyber incident reporting requirements, and clarify terms. CISA is considering the public comments and examining options for the rulemaking. Additional information about this rulemaking is available at www.cisa.gov/circia.

 
Agency: Department of Homeland Security(DHS)  Priority: Other Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: Yes  Unfunded Mandates: No 
EO 14192 Designation: Fully or Partially Exempt 
CFR Citation: 6 CFR 226   
Legal Authority: 6 U.S.C. 681 et seq.   
Legal Deadline:
Action Source Description Date
Final  Statutory  Final Rule  10/04/2025 
NPRM  Statutory  Notice of Proposed Rulemaking  03/15/2024 

Statement of Need:

Congress directed CISA to promulgate regulations requiring covered entities to report covered cyber incidents and ransom payments to CISA.

Summary of the Legal Basis:

This regulation is statutorily mandated by 6 U.S.C. 681 et seq.

Anticipated Costs and Benefits:

CISA is continuing to assess the anticipated costs and benefits of the final rule.  

Timetable:
Action Date FR Cite
NPRM  04/04/2024  89 FR 23644   
NPRM Comment Period Extended  05/06/2024  89 FR 37141   
NPRM Correction  06/03/2024  89 FR 47471   
NPRM Comment Period End  06/03/2024 
NPRM Comment Period Extended End  07/03/2024 
Final Rule  09/00/2026 
Regulatory Flexibility Analysis Required: YES  Government Levels Affected: Local, State, Tribal 
Small Entities Affected: Businesses, Governmental Jurisdictions, Organizations  Federalism: No 
Included in the Regulatory Plan: Yes 
RIN Information URL: https://www.regulations.gov   Public Comment URL: https://www.regulations.gov  
RIN Data Printed in the FR: Yes 
Agency Contact:
Todd Klessman
CIRCIA Rulemaking Team Lead
Department of Homeland Security
Cybersecurity and Infrastructure Security Agency
CISA - WB2 Stop 0612, 4200 Wilson Blvd.,
Arlington, VA 20598-0612
Phone:202 964-6869
Email: circia@cisa.dhs.gov