CISA compresses CIRCIA town halls into four June sessions
Four days in June is the last structured window to shape mandatory incident reporting rules that lock in May 2026, so the session schedule is also a signal about how much scope remains open.
TL;DR
CISA consolidated its CIRCIA rulemaking town hall series from eight sessions spread across multiple months into four concentrated sessions June 15-18, after the original February schedule was cancelled during the DHS shutdown. Critical infrastructure operators and their contractors have until those sessions to weigh in on the four-day incident reporting window and 24-hour ransom payment notification requirements before the final rule publishes in May 2026. The compression from eight sessions to four, all in a single week, suggests CISA has narrowed its remaining decision surface rather than reopened the file.
CISA published a Federal Register notice (scheduled May 26) announcing four town halls the week of June 15-18 on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) Notice of Proposed Rulemaking. The sessions replace a seven-part series postponed when the Department of Homeland Security shutdown forced cancellations in February. June 15 and June 17 are general sessions. June 16 covers eight sectors: Communications, Dams, Emergency Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Transportation Systems, and Water and Wastewater. June 18 covers the remaining eight: Chemical, Commercial Facilities, Critical Manufacturing, Defense Industrial Base, Energy, Financial Services, Information Technology, and Nuclear Reactors, Materials, and Waste. All sessions run 11:30 a.m. to 3:30 p.m. Eastern.
The underlying rule would require covered entities to report cyber incidents within four days and ransom payments within 24 hours. The 447-page NPRM issued April 4, 2024 drew substantial industry and congressional feedback on scope, definitions, and reporting burden. CISA has since pushed the final rule deadline from October 2025 to May 2026, a six-month slip announced in September.
What the compression signals
Eight sessions across multiple months gave sector representatives room to engage on sequential drafts of agency thinking. Four sessions in one week, each capped at four hours, means CISA is collecting final input at a point when the rule's architecture is largely settled. The agency's own notice frames it as "a limited additional opportunity to provide input on refining the scope and burden", the word "refining" rather than "reconsidering" carries weight. Stakeholders expecting to reopen core definitional questions, such as what constitutes a "covered entity" or what triggers the four-day clock, should treat these sessions as a closing argument rather than an ongoing negotiation.
What practitioners should do before June 15
Defense Industrial Base contractors and critical infrastructure operators who submitted comments on the NPRM have roughly three weeks to identify the deltas between their original comments and what the agency has signaled since. The sector-specific sessions on June 16 and June 18 are the more useful venues; the general sessions on June 15 and June 17 will draw broader audiences and leave less time for sector-specific edge cases. Registration details are posted at cisa.gov/circia; CISA will also notify registered stakeholders by email of any schedule changes. Given that the original February sessions were cancelled without notice during the shutdown, the agency's own Federal Register notice reserves the right to reschedule or cancel again, so confirmed registration and calendar monitoring are both necessary.
Published ·Updated ·Deep Fathom