The US Cybersecurity and Infrastructure Security Agency (CISA) is actively soliciting feedback on the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), a significant legislative measure that could affect up to 316,000 entities across various sectors. Signed into law by President Biden in March 2022, CIRCIA aims to bolster the nation’s ability to identify cybersecurity trends, assist victims of cyber incidents, and rapidly disseminate information to potential targets, ultimately reducing cyber risks across critical infrastructure sectors. CISA has initiated a notice of proposed rulemaking (NPRM), inviting public comments on the proposed regulations for a period of 60 days, starting from April 4th.
According to Secretary of Homeland Security Alejandro Mayorkas, CIRCIA’s implementation is crucial for enhancing cybersecurity capabilities, facilitating prompt incident reporting, and fostering collaboration between the public and private sectors. The proposed rules are estimated to incur costs of $2.6 billion over 11 years, with around 316,000 entities potentially impacted and an anticipated influx of over 210,000 CIRCIA reports, averaging approximately 25,000 reports annually starting in 2026. To support the implementation, CISA has requested $116 million for the CIRCIA program in fiscal year 2025, earmarked for staffing, operational processes, and technological enhancements.
Under CIRCIA’s provisions, covered entities are mandated to notify CISA of significant cyber incidents within 72 hours and report ransomware payments within 24 hours of payment. Additionally, the legislation has spurred the establishment of the Joint Ransomware Task Force (JRTF) and the Ransomware Vulnerability Warning Pilot (RVWP) Program, aiming to identify vulnerabilities in critical infrastructure systems that could be exploited by ransomware actors. CISA Director Jen Easterly emphasizes that CIRCIA will enable a better understanding of cyber threats, early detection of adversary activities, and coordinated responses with public and private sector partners, underscoring the importance of feedback from the critical infrastructure community to shape the final regulations.
