CISA restarts CIRCIA town halls on 72-hour reporting rule
The deadline is the easy part; the harder fight is which incidents and which entities CISA can realistically absorb.
TL;DR
CISA is resuming virtual town halls on the Cyber Incident Reporting for Critical Infrastructure Act rule after a shutdown pause, Federal News Network reports. The draft would require covered entities across 16 critical infrastructure sectors to report cyber incidents within 72 hours and ransomware payments within 24 hours. Primes, contractors, subs and C3PAOs should watch the scope fight: the draft may reach about 300,000 entities, while definitions and overlap with sector-specific reporting rules remain unsettled.
CISA’s CIRCIA process is moving again, but the restart does not answer the question that has dogged the rule since the 2024 proposal: how broad a mandatory incident-reporting regime can be before it becomes another reporting problem for the same defenders it is supposed to help.
The Cybersecurity and Infrastructure Security Agency is restarting virtual town halls on the Cyber Incident Reporting for Critical Infrastructure Act rule after meetings planned for March and April were postponed during the Department of Homeland Security funding lapse. CISA says the revised town halls begin June 15 and are intended to gather additional input on “refining the scope and burden” of the proposed rule before finalization: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia.
The draft structure is familiar by now. Covered entities across 16 critical infrastructure sectors would report covered cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. Federal News Network reports that the draft has drawn criticism for potentially covering about 300,000 entities, defining reportable incidents too ambiguously, and colliding with sector-specific cyber reporting rules already on the books.
That is the real compliance issue for primes, contractors, subcontractors and C3PAOs. A 72-hour clock can be operationalized. An unclear triggering standard across a sprawling population of covered entities is harder, because it turns incident triage into legal interpretation while the security team is still trying to determine what happened. CISA has said it wants reports so it can assist victims, analyze cross-sector trends and warn other defenders. That mission is legitimate. It also depends on receiving usable reports, not a flood of defensive filings from organizations that cannot tell whether the draft rule covers them.
The politics cut both ways. Some lawmakers want CISA to finish the final rule quickly. Others, including House Homeland Security Committee Chairman Andrew Garbarino, have argued the draft does not reflect congressional intent and needs narrowing. Acting CISA Director Nick Andersen told Federal News Network he has no specific finalization date and does not want to prejudge the comments from the town halls.
For practitioners, the Monday task is not to rewrite the incident-response plan yet. It is to map where CIRCIA would sit beside existing customer, regulator and sector reporting obligations, and identify who gets to decide that an event has crossed the reporting line. If CISA narrows the trigger, that mapping gets cleaner. If it does not, the 72-hour clock may be the least confusing part of the rule.
Published ·Deep Fathom