The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is a United States federal law, implemented by the Cybersecurity and Infrastructure Security Agency (CISA), that mandates covered entities in critical infrastructure sectors to report certain cybersecurity incidents and ransomware payments to CISA within strict timeframes—72 hours for a covered incident and 24 hours for a ransom payment. This regulation reshapes how US organizations in sectors such as energy, healthcare, finance, and transportation must detect, respond to, and report breaches, moving from voluntary sharing to mandatory, enforceable notification.
For CISOs, security architects, and compliance officers, CIRCIA is not merely an administrative requirement—it is a fundamental shift in operational risk management. Understanding what CIRCIA is, who it covers, what incidents trigger reporting, and how to build a compliant program is critical for avoiding penalties and protecting national security. At CyberSilo, we help US critical infrastructure organizations navigate this complex regulatory landscape with precision and efficiency.
What Is CIRCIA? Definition and Core Purpose
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is a federal statute passed by the US Congress and signed into law on March 15, 2022, as part of the broader Consolidated Appropriations Act, 2022. Its primary purpose is to close a longstanding gap in the US government's visibility into cyber threats targeting the nation's most essential systems and services.
Unlike voluntary programs that rely on goodwill, CIRCIA imposes a mandatory reporting requirement on entities within critical infrastructure sectors. CISA, the enforcing authority, estimates that the final rule—published in the Federal Register in 2024—will affect over 30,000 organizations across 16 critical infrastructure sectors, including Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials and Waste, Transportation Systems, and Water and Wastewater Systems.
The law's core objectives are to:
- Enhance threat intelligence by providing CISA with timely, actionable data on real-world incidents.
- Identify systemic vulnerabilities and attack patterns across sectors.
- Enable proactive defense by alerting other critical infrastructure entities to emerging threats.
- Hold organizations accountable for proper incident detection and response.
CIRCIA is expected to cost-regulated entities an estimated $2.6 billion in compliance costs over the first 10 years, underscoring the need for automated compliance solutions to manage reporting obligations efficiently.
Key Takeaway: CIRCIA is the first US federal law to mandate cybersecurity incident and ransomware payment reporting from private-sector critical infrastructure entities directly to CISA. It applies to incidents occurring on or after the effective date of the final rule (expected in 2025). Failure to report can result in civil penalties of up to $500,000 per violation, per day.
Who Must Comply with CIRCIA? Covered Entities
The final rule defines a covered entity as any person or organization that:
- Owns, operates, or controls a critical infrastructure system or asset designated by CISA under an existing sector-specific plan; and
- Meets the specific size, ownership, or functional criteria set forth in the rule for that sector.
CISA has adopted a two-pronged test for most sectors: an entity qualifies if it (1) is designated as part of that sector and (2) meets one of the following thresholds: employs more than 50 employees, is publicly traded, or is a state or local government entity. For sectors like healthcare, the entity is covered if it is subject to HIPAA and operates in the Healthcare and Public Health sector. For financial services, entities subject to GLBA or NYDFS 500 and designated as critical infrastructure are covered.
At the time of writing, CISA is still finalizing the definitive list of covered subcategories and thresholds through the rulemaking process. However, organizations in the following categories are almost certainly covered:
- Energy: Electric utilities, natural gas pipelines, nuclear power plants, and petroleum refineries.
- Healthcare & Public Health: Major hospitals, pharmaceutical manufacturers, and health insurance entities.
- Financial Services: Large banks, credit unions, clearinghouses, and financial market utilities.
- Transportation: Major airports, transit authorities, railroad operators, and pipeline operators.
- Water & Wastewater: Large municipal water systems and wastewater treatment facilities.
- Information Technology: Cloud service providers, data centers, and major IT service companies.
- Communications: Major telecommunications carriers, internet service providers, and broadcasters.
For a complete assessment of whether your organization falls under CIRCIA, we recommend a comprehensive compliance assessment from a qualified partner like CyberSilo.
What Incidents Trigger CIRCIA Reporting?
CIRCIA establishes two distinct reporting obligations based on incident type:
Covered Cybersecurity Incidents — 72-Hour Report
A covered cybersecurity incident is defined as any incident that:
- Substantially affects the covered entity's ability to function or operate.
- Gives rise to a reasonable belief that the incident has or is likely to compromise the confidentiality, integrity, or availability of the entity's information system.
- Is reasonably likely to result in one or more of: significant harm to a critical infrastructure system, a substantially increased risk of harm to public health or safety, or a significant economic impact on the covered entity or the public.
Examples of reportable incidents include:
- Ransomware attacks that encrypt critical systems for more than 24 hours.
- Data breaches involving sensitive personal information or critical operational data.
- Denial-of-service attacks that render a covered system unavailable for an extended period.
- Supply chain compromises that affect the integrity of software or hardware used in critical operations.
The report must be submitted to CISA within 72 hours of the covered entity reasonably believing the incident has occurred. This timeframe begins when the entity has enough information to know the incident is reportable—not from the moment of initial detection.
Ransomware Payment Report — 24-Hour Report
Separately, any covered entity that makes a ransomware payment—regardless of the amount or whether the payment is legal under other laws—must submit a report to CISA within 24 hours of making the payment. This report must include:
- The date, amount, and currency of the payment.
- The name and contact information of the ransomware variant used (if known).
- Any information the entity has about the threat actor.
- A description of the impact of the attack.
This provision is particularly significant because it removes the traditional wait-and-see approach to ransomware payments. Organizations must now have a pre-approved payment decision process and the ability to compile a report within a single day.
Critical Distinction: The 72-hour incident report and the 24-hour payment report are separate obligations. An entity that experiences a ransomware incident and pays a ransom must file both reports. The incident report covers the attack itself; the payment report covers the financial transaction.
What Information Must Be Included in a CIRCIA Report?
CIRCIA requires a detailed report to CISA that includes, at a minimum, the following information:
- A description of the incident, including its suspected origin and timeline.
- The type of incident (e.g., ransomware, data breach, DDoS).
- The vulnerabilities exploited or methods used.
- The actual or potential impact on the covered entity's operations or systems.
- The identity (if known) of the threat actor or actors.
- Any indicators of compromise (IOCs) identified.
- Any contact information for the entity's designated reporting point of contact.
- Information about the entity itself (name, sector, location of covered system).
CISA is required to establish a secure portal for electronic submission, and entities can submit reports using a standardized format. The agency may also request follow-up information within 30 days of the initial report.
Importantly, CIRCIA provides limited liability protection for entities that file reports in good faith. Information shared with CISA is generally exempt from public disclosure under the Freedom of Information Act (FOIA), and cannot be used in civil lawsuits or criminal proceedings against the reporting entity. This protection is designed to encourage robust reporting without fear of legal exposure.
Penalties for Non-Compliance
Non-compliance with CIRCIA carries significant consequences:
- Civil penalties: CISA can impose civil fines of up to $500,000 per violation, per day. A violation is defined as the failure to submit a required report within the specified timeframe. For a 72-hour report, a violation accrues at the 72-hour mark and continues until the report is submitted.
- Enforcement actions: CISA can refer non-compliant entities to the Department of Justice for further legal action, including potential criminal referral.
- Reputational risk: CISA may publicly disclose the names of entities that are subject to enforcement actions, creating significant reputational damage.
- Loss of liability protection: Entities that willfully fail to report lose the legal protections afforded by the act.
Given the severity of these penalties, organizations must have a reliable, auditable reporting process in place before an incident occurs.
How CIRCIA Interacts with Other US Reporting Laws
CIRCIA does not exist in a vacuum. Covered entities must navigate a patchwork of overlapping federal and state reporting requirements:
- HIPAA Breach Notification Rule: Healthcare organizations that are both HIPAA-covered entities and CIRCIA-covered entities must report breaches to HHS OCR within 60 days and to CISA within 72 hours.
- NYDFS 23 NYCRR 500: Financial institutions regulated by New York must report cybersecurity incidents to the NYDFS within 72 hours and now also to CISA under CIRCIA.
- SEC Cyber Disclosure Rules: Publicly traded companies must report material cybersecurity incidents on Form 8-K within four business days and also file a CIRCIA report within 72 hours.
- State breach notification laws: Most US states require notification to affected individuals and state Attorneys General within 30-60 days of a breach involving personal information.
While CIRCIA reports are confidential and exempt from public disclosure, the same incident may trigger public reporting obligations under other laws. Organizations must coordinate their incident response process to satisfy all applicable requirements simultaneously.
To manage this complexity, CyberSilo's Threat Exposure Management platform integrates with your existing incident response workflows to automate CIRCIA reporting across multiple regulatory frameworks.
Building a CIRCIA Compliance Program
Establishing a compliant program requires a structured approach. Here is a phased process for achieving and maintaining CIRCIA readiness:
Determine If You Are a Covered Entity
Assess whether your organization owns, operates, or controls a critical infrastructure system and meets the size, ownership, or functional thresholds defined by CISA. This analysis should be conducted by a qualified compliance expert to avoid misclassification.
Establish Incident Detection and Classification Capabilities
Deploy robust SIEM, EDR, and network detection tools to identify incidents in real time. Train your SOC analysts on CIRCIA's specific criteria for a "covered cybersecurity incident" so they can classify incidents accurately within the 72-hour clock.
Define a Reporting Workflow
Create a documented workflow that assigns ownership for CIRCIA report preparation, internal approval, and submission to CISA. The workflow must include a 24-hour sub-process for ransomware payment notifications. Automate data collection from your security tools to reduce manual effort and errors.
Integrate with Existing Incident Response Plans
Update your incident response plan to include CIRCIA-specific triggers, timelines, and communication protocols. Cross-reference with HIPAA, NYDFS, and other applicable regulations to ensure unified reporting across all obligations.
Conduct Tabletop Exercises and Testing
Run simulated CIRCIA-covered incidents to validate your reporting process. Measure your team's ability to identify the incident, gather required data, and submit a complete report within 72 hours. Refine workflows based on findings.
Maintain Ongoing Compliance and Audit Trails
Keep detailed records of all incident detection actions, internal communications, and reporting submissions. CISA may request follow-up information within 30 days of a report, and audit oversight bodies may review your compliance program years later.
Leading organizations pair this workflow with automated compliance tools. CyberSilo's Threat Exposure Management solution can reduce CIRCIA report preparation time by an average of 60%, ensuring you meet the 72-hour deadline without straining your security team.
Get a CIRCIA Compliance Assessment
Is your organization prepared for mandatory CISA reporting? Our experts can evaluate your current incident response capabilities, gap-analysis your reporting workflows, and help you build a CIRCIA-compliant program. Schedule a confidential assessment today.
Frequently Asked Questions About CIRCIA
What is the difference between CIRCIA and CISA?
CISA (the Cybersecurity and Infrastructure Security Agency) is the federal agency responsible for implementing and enforcing CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act). CIRCIA is the law that creates the mandatory reporting requirement; CISA is the regulator that collects reports and issues guidance.
Does CIRCIA apply to my small business?
Only if your business is designated as part of a critical infrastructure sector AND meets the applicable size threshold—typically more than 50 employees, publicly traded, or a government entity. Small businesses that are not in critical infrastructure sectors or that fall below the threshold are not covered by CIRCIA.
How do I submit a report to CISA under CIRCIA?
CISA is developing a secure online portal for CIRCIA report submissions. The agency will publish submission instructions in the final rule and on the CISA website. Covered entities should monitor CISA's CIRCIA page for updates and prepare their internal workflows now.
Can I share CIRCIA reports with my insurance company or legal team?
Yes, CIRCIA reports can be shared with third parties such as insurers, legal counsel, and forensic investigators. However, the reports retain their FOIA exemption and legal protections only when shared with CISA. Once shared externally, they may lose some legal protections. Consult with legal counsel before broad distribution.
What are the penalties for lying or omitting information in a CIRCIA report?
Knowingly making a false statement or willfully omitting required information in a CIRCIA report can result in criminal penalties under 18 U.S.C. § 1001, including fines and imprisonment. Good-faith errors are not subject to these penalties, but intentional deception is a serious crime.
Does CIRCIA require reporting if no data was stolen?
Yes, if the incident substantially affects the covered entity's ability to function or operate. For example, a ransomware attack that encrypts critical systems but results in no data exfiltration is still reportable because it impairs operations. The focus is on the impact on critical infrastructure, not solely on data loss.
Preparing for CIRCIA Ahead of the Final Rule
While the final rule from CISA is expected in 2025, forward-thinking organizations are already taking proactive steps:
- Start gap analysis now: Assess current incident response and reporting capabilities against the proposed rule's requirements.
- Invest in detection automation: Implement ThreatHawk SIEM to automatically detect, classify, and compile incident data in real time.
- Engage with CISA: Participate in the ongoing rulemaking process by submitting comments and attending industry briefings.
- Update supply chain contracts: Require critical vendors and partners to maintain CIRCIA-compliant reporting processes, as supply chain incidents are explicitly covered.
- Allocate budget: CIRCIA compliance is a multi-year investment. Factor in costs for technology, training, and legal support.
Our Conclusion & Recommendation
CIRCIA represents a new era of mandatory cyber incident reporting in the United States, fundamentally altering the relationship between private-sector critical infrastructure organizations and the federal government. For CISOs and compliance leaders, the law demands a shift from reactive, ad hoc reporting to a structured, automated, and defensible process. The costs of non-compliance—up to $500,000 per day—far outweigh the investment in preparation.
We recommend that all organizations likely to be covered by CIRCIA begin building their compliance programs immediately, even before the final rule takes effect. This includes defining incident classification criteria, automating data collection, and conducting tabletop exercises. CyberSilo's Threat Exposure Management platform provides the automated detection, reporting, and audit trail capabilities necessary to meet CIRCIA's strict timelines without overwhelming your security team. Combined with our US cybersecurity compliance services, we help you achieve and maintain CIRCIA readiness while managing obligations across other frameworks.
Get a Compliance Assessment Today
Don't wait until the final rule takes effect. Schedule a confidential CIRCIA compliance assessment with CyberSilo's team of regulatory experts and gain a clear roadmap to compliance.
