CISA to Finalize CIRCIA Rule by September 2026, Mandating 72-Hour Breach and 24-Hour Ransom Payment Reporting

US to Finalize Mandatory Cyber Incident Reporting Rule (CIRCIA) by September

INFORMATIONAL
July 7, 2026
5m read
Policy and ComplianceRegulatoryIncident Response

Related Entities

Organizations

Other

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)Cybersecurity Maturity Model Certification (CMMC)

Full Report

Executive Summary

The United States is poised to enact a major change in its national cybersecurity strategy with the upcoming finalization of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The Cybersecurity and Infrastructure Security Agency (CISA) is expected to finalize the rule by September 2026, transitioning the nation from a voluntary to a mandatory cyber incident reporting framework for critical infrastructure sectors. The rule will legally obligate covered entities to report substantial cyber incidents to CISA within 72 hours and any ransom payments within 24 hours. This legislation is a direct response to major cyber events that highlighted the federal government's lack of visibility into threats affecting the private sector and is set to become a cornerstone of U.S. cybersecurity policy and corporate governance.


Regulatory Details

The CIRCIA rule establishes two primary reporting requirements for organizations designated as part of the U.S. critical infrastructure:

  1. Substantial Cyber Incident Reporting: Covered entities must report a "substantial cyber incident" to CISA no later than 72 hours after the organization reasonably believes the incident has occurred.
  2. Ransom Payment Reporting: Covered entities that make a ransom payment as a result of a ransomware attack must report the payment to CISA no later than 24 hours after the payment is made.

The goal of these rapid reporting timelines is to provide CISA with near real-time data on active campaigns and systemic threats. This information will be used to generate anonymized alerts for other potential victims, analyze threat actor TTPs, and coordinate a national-level response to widespread attacks.


Affected Organizations

CIRCIA will apply to organizations across the 16 critical infrastructure sectors defined by the U.S. government. While the final rule will specify the exact criteria (e.g., size, sector), this generally includes entities in:

  • Energy
  • Finance
  • Healthcare and Public Health
  • Information Technology
  • Communications
  • Defense Industrial Base
  • Transportation Systems
  • Water and Wastewater Systems
  • And others.

This regulation, along with others like the Department of Defense's Cybersecurity Maturity Model Certification (CMMC), signals a broader trend of federal mandates requiring documented and verifiable cybersecurity practices.


Compliance Requirements

To comply with CIRCIA, affected organizations will need to:

  1. Identify and Classify Incidents: Develop robust internal processes to quickly identify, classify, and escalate incidents to determine if they meet the threshold of a "substantial cyber incident" as defined by the final rule.
  2. Establish Reporting Workflows: Create clear, documented procedures for reporting incidents to CISA within the mandated 72-hour and 24-hour windows. This includes identifying responsible personnel and preparing the required information.
  3. Legal and Executive Involvement: Incident response plans must be updated to include immediate notification loops to legal counsel and executive leadership, especially when a ransom payment is being considered.
  4. Documentation: Maintain detailed records of the incident, the response actions taken, and the reports submitted to CISA for auditing and legal purposes.

Implementation Timeline

  • 2022: CIRCIA was passed by the U.S. Congress.
  • September 2026 (Projected): CISA is expected to publish the final rule in the Federal Register.

Once the final rule is published, there will likely be a subsequent grace period before enforcement begins, allowing organizations time to implement the necessary compliance measures.


Impact Assessment

The implementation of CIRCIA will have significant operational and strategic impacts on affected businesses:

  • Increased Operational Tempo: The 72-hour reporting deadline will dramatically accelerate incident response timelines, requiring organizations to be able to investigate and report concurrently.
  • Ransom Payment Calculus: The 24-hour reporting requirement for ransom payments adds a new layer of complexity and federal scrutiny to the decision of whether to pay a ransom.
  • Legal and Liability Risks: Failure to report in accordance with the rule will likely carry financial penalties and other enforcement actions, increasing the legal liability associated with a cyber incident.
  • Resource Allocation: Organizations will need to invest in the people, processes, and technology required to meet these reporting obligations, including incident response retainers, legal counsel, and log management systems.

Enforcement & Penalties

While the specific penalties will be detailed in the final rule, non-compliance with CIRCIA is expected to result in significant consequences. CISA will likely be granted the authority to issue subpoenas to organizations that fail to report and to levy fines for non-compliance. This enforcement power is a key difference from previous voluntary frameworks.


Compliance Guidance

Organizations should begin preparing for CIRCIA now:

  1. Review Incident Response Plans: Update your IR plan to incorporate the 72/24-hour reporting timelines. Conduct tabletop exercises to test your ability to meet these deadlines.
  2. Define "Substantial": Work with legal and IT security teams to pre-define what constitutes a "substantial" incident for your organization, so you are not making this decision in the middle of a crisis.
  3. Establish a Relationship with CISA: Proactively engage with CISA and other government partners. Familiarize yourself with their reporting portals and processes before an incident occurs.
  4. Automate and Integrate: Invest in security tools like SIEM and SOAR platforms that can automate the detection, correlation, and initial reporting of security events to help meet the tight deadlines.

Timeline of Events

1
January 1, 2022
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is passed by Congress.
2
July 7, 2026
This article was published
3
September 1, 2026
CISA is expected to finalize and publish the CIRCIA rule.

Timeline of Events

1
January 1, 2022

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is passed by Congress.

2
September 1, 2026

CISA is expected to finalize and publish the CIRCIA rule.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

CIRCIACISARegulationComplianceIncident ReportingCyber LawUS Government

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.