The U.S. Department of Homeland Security (DHS) is set to implement long-awaited rules that will require critical infrastructure entities across multiple sectors to report cyber incidents and ransomware payments to the federal government.
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in March 2022, directs the Cybersecurity and Infrastructure Security Agency (CISA) to develop regulations for covered entities to report cyber incidents and ransom payments. This week, CISA published its initial Notice of Proposed Rulemaking, kicking off a 60-day public comment period before a final rule is issued, likely around October 2025.
The goal of these mandatory reporting requirements is to help the federal government rapidly deploy resources to cyberattack victims, analyze trends to spot emerging threats quicker, share actionable warnings with potential targets, and ultimately strengthen America's cybersecurity resilience and incident response capabilities.
"CIRCIA is a key milestone in moving critical infrastructure towards more awareness and coordinated response to cyber threats," said John Gallagher, Vice President at Viakoo. "As the attack surface has shifted to vulnerabilities in IoT, OT, and industrial control systems, CIRCIA acts as an accelerant to cross-industry information sharing."
Under CISA's proposed rules, covered entities would have 72 hours to report cyber incidents meeting the agency's definition, and just 24 hours to report after paying ransomware demands. While some argued for shorter timelines, CISA aims to balance rapid reporting with allowing victims sufficient time for initial response and accurate information gathering.
Jose Seara, CEO of DeNexus, welcomed the convergence of cybersecurity mandates across government agencies. "It will allow corporations to simplify and deploy more effective cybersecurity programs," Seara stated, recommending companies "start with cyber risk quantification to prioritize risk mitigation projects."
CISA acknowledged grappling with definitions of covered entities and reportable incidents during the rulemaking process. The draft rules propose broad criteria that could apply reporting duties to more than 300,000 organizations across critical sectors like energy, communications, healthcare, and more.
"Having clear definitions gives cyber insurers a way to work with critical infrastructure on underwriting decisions based on these guidelines," Gallagher noted.
While commending CIRCIA's intent, both experts pointed to ongoing needs—such as preparedness benchmarks, ethical disclosure standards, and sufficient funding—to avoid overburdening CISA's capabilities.
Gallagher called the estimated $2.6 billion implementation cost from 2023-2033 "modest compared to the scale of cybercrime." However, Seara emphasized, "Underfunding critical infrastructure security is a questionable decision."
As CIRCIA reporting rules take shape, the public and private sectors have more work ahead to optimize this cybersecurity transparency while managing compliance costs and respecting proprietary data safeguards. With high-stakes incidents impacting critical services, CIRCIA's mandatory reporting marks a pivotal step toward more cohesive national cyber defense.
Follow SecureWorld News for more stories related to cybersecurity.