Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements; Extension of Comment Period

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), as amended, requires the Cybersecurity and Infrastructure Security Agency (CISA) to promulgate regulations implementing the statute's covered cyber incident and ransom payment reporting requirements for covered entities. CISA seeks comment on the proposed rule to implement CIRCIA's requirements and on several practical and policy issues related to the implementation of these new reporting requirements.

Comments and related material must be submitted on or before July 3, 2024.


CISA is including in the docket a draft privacy and civil liberties guidance document that would apply to CISA's retention, use, and dissemination of personal information contained in a CIRCIA Report and guide other Federal departments and agencies with which CISA will share CIRCIA Reports. CISA encourages interested readers to review this draft guidance and to submit comments on it. Commenters should clearly identify which specific comment(s) concern the draft guidance document.

Under the proposed rule, covered entities will have 72 hours to report to CISA a “covered cyber incident” and 24 hours to report a ransom payment.