Skip to main content
govconCyber
Rule Updates

CIRCIA Is Almost Final: The Third Cyber-Reporting Clock Contractors Can't Ignore

CISA's long-delayed cyber-incident reporting rule is back in finalization. For government contractors, it adds a third reporting clock on top of the ones you already run.

Brandon Hancock, J.D., CMMC-RPPublished June 7, 2026Updated June 8, 20266 min read

If you already report cyber incidents under DFARS, brace for one more obligation that runs on its own timetable. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 — CIRCIA — directs CISA to require covered entities to report significant cyber incidents and ransom payments on a fixed clock. After a proposed rule in April 2024 and a string of delays, CISA is in what observers are calling its "take two" on finalization, with the most recent public target landing around 2026. The schedule keeps slipping amid DHS funding lapses, but the substance is taking shape — and it reaches far more contractors than most expect.

What CIRCIA Will Require

CIRCIA's two headline obligations have stayed stable across the rulemaking and are not expected to change:

  • 72-hour incident reporting. A covered entity must report a covered cyber incident to CISA within 72 hours after it reasonably believes the incident occurred.
  • 24-hour ransom-payment reporting. A covered entity must report a ransom payment within 24 hours of making it.

The rule also contemplates supplemental reports as new information emerges, and data-preservation duties tied to the reported incident. In other words, the report isn't a one-and-done filing — it opens an ongoing obligation.

Why This Lands on Government Contractors

CIRCIA is written around "covered entities" in the 16 critical-infrastructure sectors — defense industrial base, IT, healthcare, financial services, energy, water, transportation, and more. Here's the overlap problem: the universe of companies that hold federal contracts and the universe of critical-infrastructure entities are largely the same companies. A defense supplier, a health IT vendor, a cloud provider serving agencies — each can be a covered entity under CIRCIA regardless of what its contract clauses say.

That means CIRCIA stacks on top of obligations you already carry. A single incident could trigger:

  • DFARS 252.204-7012 — report to DoD within 72 hours (for covered defense information).
  • The proposed FAR CUI rule — report suspected or confirmed CUI incidents within 8 hours of discovery, if and when finalized.
  • CIRCIA — report to CISA within 72 hours, plus 24 hours for any ransom payment.
  • State breach-notification laws — their own independent deadlines based on whose data was affected.

These clocks do not satisfy one another. Meeting your DoD window does nothing for your CISA window. You need a single intake process that can fan out to every applicable deadline at once.

The Enforcement Edge

CIRCIA gives CISA real leverage: it can issue requests for information and subpoenas to entities believed to have experienced a reportable incident, and noncompliance can be referred to the Department of Homeland Security's suspension-and-debarment official. For a government contractor, suspension or debarment is an existential risk — which makes CIRCIA's reporting duties a contract-eligibility issue, not just a cybersecurity one.

What to Do Before the Final Rule Lands

The timeline is uncertain, but the obligations are foreseeable. Prepare now:

1. Determine whether you're a covered entity. Map your operations against the 16 critical-infrastructure sectors; if you serve any of them, assume you're in scope until the final rule says otherwise. 2. Build one incident-reporting playbook with multiple clocks. When an incident is detected, the playbook should immediately flag every deadline — DoD, CISA, FAR CUI, state — and assign an owner to each. 3. Set the shortest clock as your default. If an 8-hour FAR CUI obligation could apply, build your process to hit 8 hours; everything else follows automatically. 4. Tighten ransom-payment governance. A 24-hour clock means legal, executive, and security leadership need a pre-agreed decision process before, not during, an extortion event. 5. Preserve evidence by default. Reporting obligations come with preservation expectations; make forensic preservation automatic.

Key Takeaways

  • CIRCIA is in final-rule finalization with its 72-hour incident and 24-hour ransom clocks intact, even as the date slips.
  • Most government contractors are also critical-infrastructure entities, so CIRCIA adds a third reporting clock alongside DFARS and the proposed FAR CUI rule.
  • Noncompliance can reach the suspension-and-debarment official — treat CIRCIA as a contract-eligibility risk and build one playbook that fires every deadline at once.

See how the federal reporting obligations fit together on our Federal Requirements: Statutes page, confirm what applies to you with Find My Requirements, and pair this with our guide to DFARS 252.204-7012.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Rule UpdatesTrump's AI Executive Order: What the Frontier-Model Review and Coming CISA Directives Mean for ContractorsA June 2, 2026 executive order sets up a voluntary pre-release security review of frontier AI models and puts CISA on a 30-day clock for new cyber directives. Most binding obligations reach contractors through agencies, clauses, and the supply chain.June 8, 2026 · 6 min readRule UpdatesDFARS 252.204-7012: What Contractors Need to Know in 2026The cornerstone DoD cyber clause requires NIST 800-171, 72-hour incident reporting, and flow-down. Here is the 2026 picture.May 13, 2026 · 6 min readRule UpdatesNIST SP 800-171 Rev 3: What Changed and What to DoRevision 3 restructured the CUI standard. Here's what changed, why DoD contracts still use Rev 2, and how to prepare.April 22, 2026 · 6 min read