Get Demo

What Is CIRCIA? CISA Incident Reporting Explained

CIRCIA explained for US organizations — clear, practical guidance to protect critical operations. Learn the essentials with CyberSilo.

📅 Published: June 2026 🔐 Cybersecurity • Critical Infra • USA ⏱️ 2,200 words

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is a United States federal law, implemented by the Cybersecurity and Infrastructure Security Agency (CISA), that mandates covered entities in critical infrastructure sectors to report certain cybersecurity incidents and ransomware payments to CISA within strict timeframes—72 hours for a covered incident and 24 hours for a ransom payment. This regulation reshapes how US organizations in sectors such as energy, healthcare, finance, and transportation must detect, respond to, and report breaches, moving from voluntary sharing to mandatory, enforceable notification.

For CISOs, security architects, and compliance officers, CIRCIA is not merely an administrative requirement—it is a fundamental shift in operational risk management. Understanding what CIRCIA is, who it covers, what incidents trigger reporting, and how to build a compliant program is critical for avoiding penalties and protecting national security. At CyberSilo, we help US critical infrastructure organizations navigate this complex regulatory landscape with precision and efficiency.

What Is CIRCIA? Definition and Core Purpose

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is a federal statute passed by the US Congress and signed into law on March 15, 2022, as part of the broader Consolidated Appropriations Act, 2022. Its primary purpose is to close a longstanding gap in the US government's visibility into cyber threats targeting the nation's most essential systems and services.

Unlike voluntary programs that rely on goodwill, CIRCIA imposes a mandatory reporting requirement on entities within critical infrastructure sectors. CISA, the enforcing authority, estimates that the final rule—published in the Federal Register in 2024—will affect over 30,000 organizations across 16 critical infrastructure sectors, including Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials and Waste, Transportation Systems, and Water and Wastewater Systems.

The law's core objectives are to:

CIRCIA is expected to cost-regulated entities an estimated $2.6 billion in compliance costs over the first 10 years, underscoring the need for automated compliance solutions to manage reporting obligations efficiently.

Key Takeaway: CIRCIA is the first US federal law to mandate cybersecurity incident and ransomware payment reporting from private-sector critical infrastructure entities directly to CISA. It applies to incidents occurring on or after the effective date of the final rule (expected in 2025). Failure to report can result in civil penalties of up to $500,000 per violation, per day.

Who Must Comply with CIRCIA? Covered Entities

The final rule defines a covered entity as any person or organization that:

CISA has adopted a two-pronged test for most sectors: an entity qualifies if it (1) is designated as part of that sector and (2) meets one of the following thresholds: employs more than 50 employees, is publicly traded, or is a state or local government entity. For sectors like healthcare, the entity is covered if it is subject to HIPAA and operates in the Healthcare and Public Health sector. For financial services, entities subject to GLBA or NYDFS 500 and designated as critical infrastructure are covered.

At the time of writing, CISA is still finalizing the definitive list of covered subcategories and thresholds through the rulemaking process. However, organizations in the following categories are almost certainly covered:

For a complete assessment of whether your organization falls under CIRCIA, we recommend a comprehensive compliance assessment from a qualified partner like CyberSilo.

What Incidents Trigger CIRCIA Reporting?

CIRCIA establishes two distinct reporting obligations based on incident type:

Covered Cybersecurity Incidents — 72-Hour Report

A covered cybersecurity incident is defined as any incident that:

Examples of reportable incidents include:

The report must be submitted to CISA within 72 hours of the covered entity reasonably believing the incident has occurred. This timeframe begins when the entity has enough information to know the incident is reportable—not from the moment of initial detection.

Ransomware Payment Report — 24-Hour Report

Separately, any covered entity that makes a ransomware payment—regardless of the amount or whether the payment is legal under other laws—must submit a report to CISA within 24 hours of making the payment. This report must include:

This provision is particularly significant because it removes the traditional wait-and-see approach to ransomware payments. Organizations must now have a pre-approved payment decision process and the ability to compile a report within a single day.

Critical Distinction: The 72-hour incident report and the 24-hour payment report are separate obligations. An entity that experiences a ransomware incident and pays a ransom must file both reports. The incident report covers the attack itself; the payment report covers the financial transaction.

What Information Must Be Included in a CIRCIA Report?

CIRCIA requires a detailed report to CISA that includes, at a minimum, the following information:

CISA is required to establish a secure portal for electronic submission, and entities can submit reports using a standardized format. The agency may also request follow-up information within 30 days of the initial report.

Importantly, CIRCIA provides limited liability protection for entities that file reports in good faith. Information shared with CISA is generally exempt from public disclosure under the Freedom of Information Act (FOIA), and cannot be used in civil lawsuits or criminal proceedings against the reporting entity. This protection is designed to encourage robust reporting without fear of legal exposure.

Penalties for Non-Compliance

Non-compliance with CIRCIA carries significant consequences:

Given the severity of these penalties, organizations must have a reliable, auditable reporting process in place before an incident occurs.

How CIRCIA Interacts with Other US Reporting Laws

CIRCIA does not exist in a vacuum. Covered entities must navigate a patchwork of overlapping federal and state reporting requirements:

While CIRCIA reports are confidential and exempt from public disclosure, the same incident may trigger public reporting obligations under other laws. Organizations must coordinate their incident response process to satisfy all applicable requirements simultaneously.

To manage this complexity, CyberSilo's Threat Exposure Management platform integrates with your existing incident response workflows to automate CIRCIA reporting across multiple regulatory frameworks.

Building a CIRCIA Compliance Program

Establishing a compliant program requires a structured approach. Here is a phased process for achieving and maintaining CIRCIA readiness:

1

Determine If You Are a Covered Entity

Assess whether your organization owns, operates, or controls a critical infrastructure system and meets the size, ownership, or functional thresholds defined by CISA. This analysis should be conducted by a qualified compliance expert to avoid misclassification.

2

Establish Incident Detection and Classification Capabilities

Deploy robust SIEM, EDR, and network detection tools to identify incidents in real time. Train your SOC analysts on CIRCIA's specific criteria for a "covered cybersecurity incident" so they can classify incidents accurately within the 72-hour clock.

3

Define a Reporting Workflow

Create a documented workflow that assigns ownership for CIRCIA report preparation, internal approval, and submission to CISA. The workflow must include a 24-hour sub-process for ransomware payment notifications. Automate data collection from your security tools to reduce manual effort and errors.

4

Integrate with Existing Incident Response Plans

Update your incident response plan to include CIRCIA-specific triggers, timelines, and communication protocols. Cross-reference with HIPAA, NYDFS, and other applicable regulations to ensure unified reporting across all obligations.

5

Conduct Tabletop Exercises and Testing

Run simulated CIRCIA-covered incidents to validate your reporting process. Measure your team's ability to identify the incident, gather required data, and submit a complete report within 72 hours. Refine workflows based on findings.

6

Maintain Ongoing Compliance and Audit Trails

Keep detailed records of all incident detection actions, internal communications, and reporting submissions. CISA may request follow-up information within 30 days of a report, and audit oversight bodies may review your compliance program years later.

Leading organizations pair this workflow with automated compliance tools. CyberSilo's Threat Exposure Management solution can reduce CIRCIA report preparation time by an average of 60%, ensuring you meet the 72-hour deadline without straining your security team.

Get a CIRCIA Compliance Assessment

Is your organization prepared for mandatory CISA reporting? Our experts can evaluate your current incident response capabilities, gap-analysis your reporting workflows, and help you build a CIRCIA-compliant program. Schedule a confidential assessment today.

Frequently Asked Questions About CIRCIA

What is the difference between CIRCIA and CISA?

CISA (the Cybersecurity and Infrastructure Security Agency) is the federal agency responsible for implementing and enforcing CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act). CIRCIA is the law that creates the mandatory reporting requirement; CISA is the regulator that collects reports and issues guidance.

Does CIRCIA apply to my small business?

Only if your business is designated as part of a critical infrastructure sector AND meets the applicable size threshold—typically more than 50 employees, publicly traded, or a government entity. Small businesses that are not in critical infrastructure sectors or that fall below the threshold are not covered by CIRCIA.

How do I submit a report to CISA under CIRCIA?

CISA is developing a secure online portal for CIRCIA report submissions. The agency will publish submission instructions in the final rule and on the CISA website. Covered entities should monitor CISA's CIRCIA page for updates and prepare their internal workflows now.

Can I share CIRCIA reports with my insurance company or legal team?

Yes, CIRCIA reports can be shared with third parties such as insurers, legal counsel, and forensic investigators. However, the reports retain their FOIA exemption and legal protections only when shared with CISA. Once shared externally, they may lose some legal protections. Consult with legal counsel before broad distribution.

What are the penalties for lying or omitting information in a CIRCIA report?

Knowingly making a false statement or willfully omitting required information in a CIRCIA report can result in criminal penalties under 18 U.S.C. § 1001, including fines and imprisonment. Good-faith errors are not subject to these penalties, but intentional deception is a serious crime.

Does CIRCIA require reporting if no data was stolen?

Yes, if the incident substantially affects the covered entity's ability to function or operate. For example, a ransomware attack that encrypts critical systems but results in no data exfiltration is still reportable because it impairs operations. The focus is on the impact on critical infrastructure, not solely on data loss.

Preparing for CIRCIA Ahead of the Final Rule

While the final rule from CISA is expected in 2025, forward-thinking organizations are already taking proactive steps:

Our Conclusion & Recommendation

CIRCIA represents a new era of mandatory cyber incident reporting in the United States, fundamentally altering the relationship between private-sector critical infrastructure organizations and the federal government. For CISOs and compliance leaders, the law demands a shift from reactive, ad hoc reporting to a structured, automated, and defensible process. The costs of non-compliance—up to $500,000 per day—far outweigh the investment in preparation.

We recommend that all organizations likely to be covered by CIRCIA begin building their compliance programs immediately, even before the final rule takes effect. This includes defining incident classification criteria, automating data collection, and conducting tabletop exercises. CyberSilo's Threat Exposure Management platform provides the automated detection, reporting, and audit trail capabilities necessary to meet CIRCIA's strict timelines without overwhelming your security team. Combined with our US cybersecurity compliance services, we help you achieve and maintain CIRCIA readiness while managing obligations across other frameworks.

Get a Compliance Assessment Today

Don't wait until the final rule takes effect. Schedule a confidential CIRCIA compliance assessment with CyberSilo's team of regulatory experts and gain a clear roadmap to compliance.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!