CIRCIA Explained: America's Landmark Cyber Reporting Law — What It Was, What It Became, and What Comes Next

A rule born from a ransomware attack on a gasoline pipeline has spent four years bouncing between administrations, industry lobbying, and political gridlock. Now, CISA is trying again — and the stakes have never been higher.

Where It All Started: The Colonial Pipeline Moment

In May 2021, a ransomware attack on Colonial Pipeline shut down the largest fuel pipeline on the US East Coast for six days, triggering panic buying, fuel shortages across multiple states, and a stark national reckoning with how unprepared America's critical infrastructure was for cyber threats. The attack was a turning point.

Congress responded. On March 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act — known as CIRCIA — was signed into law. For the first time, the federal government was creating a mandatory framework requiring critical infrastructure operators to report cyberattacks to CISA, the nation's civilian cybersecurity agency. The goal was simple: give the government real-time visibility into attacks so it could help victims, spot patterns, and warn others before the next breach spread further.

The Original Rule: What Biden's CISA Proposed

CIRCIA required CISA to publish a Notice of Proposed Rulemaking no later than March 2024, and to issue a final rule within 18 months of that publication.

CISA released the draft rule on March 27, 2024. It established two core reporting requirements for critical infrastructure entities: a 72-hour window to report covered cyber incidents, and a 24-hour window to report ransomware payments made in response to an attack.

The scope was sweeping. The draft rules were designed to apply across all 16 critical infrastructure sectors — from electric utilities, water systems, and hospitals to chemical facilities, transportation networks, and financial services. Entities would be required to report not just confirmed breaches, but any incident meeting defined thresholds of materiality and impact. A follow-up report was also required whenever "substantial new or different information" emerged about a previously reported incident.

Multiple reporting categories were proposed, including a standard "Covered Cyber Incident Report," a separate "Ransomware Payment Report," and a "Joint Covered Cyber Incident and Ransom Payment Report" for incidents where both conditions applied.

The vision behind the rule was clear: centralize cyber incident data at CISA so the agency could rapidly deploy resources to victims, analyze trends across sectors, and share threat intelligence with network defenders in near real-time — essentially building a national early warning system for cyberattacks.

The Backlash: Why Industry Pushed Back

The ambition of the Biden-era draft quickly ran into the messy realities of implementation.

Critics argued the draft rules cast too wide a net. The proposed rule was estimated to cover approximately 300,000 entities — a number many in industry considered unrealistic and unworkable. Small water utilities, rural hospitals, and community banks would suddenly find themselves subject to the same federal reporting obligations as the nation's largest energy companies and financial institutions.

Industry groups also objected to the vague definition of what actually constitutes a reportable "cyber incident." Without clear thresholds, organizations faced the prospect of having to make judgment calls under pressure — in the middle of an active incident — about whether their situation rose to the level requiring federal notification within 72 hours.

Perhaps most critically, CIRCIA threatened to collide with a patchwork of existing regulations. The Department of Homeland Security had already identified 45 different federal cyber incident reporting requirements administered by 22 separate federal agencies — and CIRCIA would add another layer on top. While CISA promised to establish information-sharing agreements with other agencies to reduce overlap, few concrete details on those agreements ever materialized.

The Trump Administration's Intervention

When the Trump administration took office in January 2025, it inherited a rule that was already running behind schedule and drawing fire from multiple directions. The administration stalled implementation to gather additional feedback — a move that frustrated some lawmakers pushing for speed, but pleased industry groups that wanted a reset.

The politics grew more complicated from there. House Homeland Security Committee Chairman Andrew Garbarino, who had been involved in drafting the original legislation, expressed open frustration with how the rule had evolved. "We were so happy to get done and then all of a sudden, it's not what we intended," he said at a recent Washington event, adding that there were "so many reporting regulations out there" and the intent was for CIRCIA to be the one — not just another one.

At the same time, the GOP-led House Appropriations Committee has taken the opposite view on timing, expressing concern about delays and directing CISA to brief the committee on its plans as part of quarterly budget reviews.

Where Things Stand Now: The Town Halls

On May 26, 2026, CISA announced a revised schedule of town hall meetings for the CIRCIA rulemaking. The meetings — scheduled to begin June 15 — replace previously planned town halls from March and April 2026 that were cancelled due to a lapse in Department of Homeland Security appropriations caused by a partial government shutdown.

Acting CISA Director Nick Andersen has framed the renewed engagement as a listening exercise, not a rubber stamp. "We need your substantive feedback to be able to make that as good as it can be," he said at a recent industry conference. He has been careful not to commit to a final deadline, acknowledging that public comments could "radically change" CISA's thinking on the rule's scope and design.

The core reporting obligations — 72 hours for cyber incidents, 24 hours for ransomware payments — are expected to remain intact. What is genuinely up for debate is who exactly has to comply, what exactly triggers the reporting obligation, and how CIRCIA's requirements will be harmonized with the dozens of sector-specific rules already on the books.

What the Final Rule Will Need to Get Right

Several critical questions remain unresolved as CISA moves toward finalization:

Scope. Covering 300,000 entities was widely seen as unworkable. A more targeted approach — focusing on the largest and most systemically critical operators — would be more enforceable, but risks leaving gaps in sectors where smaller operators run genuinely critical systems.

Definitions. What constitutes a "covered cyber incident" needs clear, objective criteria that organizations can apply quickly during an active attack, not after it has been fully investigated.

Harmonization. If CIRCIA is to be the master reporting framework rather than just another layer, CISA must deliver concrete information-sharing agreements with the 22 other federal agencies that already collect cyber incident data. Without those agreements, the system risks creating more bureaucracy, not less.

Processing capacity. CISA estimated the program would cost the agency $116 million in FY2025 and require 70 new positions just to manage the volume of incoming reports. Whether the agency has the infrastructure — and the budget — to actually process and act on thousands of incident reports across 16 sectors in near real-time remains an open question. CISA is currently building both a new internal ticketing system and a public-facing web portal for submissions.

The Bigger Picture

The delay and difficulty surrounding CIRCIA reflects a broader tension in US cybersecurity policy: the government wants better visibility into attacks on critical infrastructure, but the private sector — which owns and operates the vast majority of that infrastructure — has consistently resisted mandatory reporting obligations as burdensome, risky, and duplicative.

For context, cybercrime cost the United States an estimated $320 billion in 2023 and is projected to surpass $1 trillion annually by 2027. Against that backdrop, the argument that a 72-hour reporting requirement is too burdensome becomes harder to sustain.

The original CIRCIA law was a response to a moment of national vulnerability. Four years later, that vulnerability has only grown — and the rule meant to address it is still not finished. CISA's town halls represent the latest, and perhaps final, attempt to build enough consensus to get it across the line.

Whether the result will be a rule that delivers on CIRCIA's original promise — or a diluted compromise that satisfies no one — is the question the next few months will answer.