Skip to main content
govconCyber
Compliance Guidance

CISA Reopened the CIRCIA Comment Window — and the Defense Industrial Base Has a Seat on June 18

CISA reopened CIRCIA stakeholder input with town halls June 15-18, 2026; the defense industrial base is scheduled June 18. The 72-hour reporting rule isn't final — its scope and burden are still open for comment.

Brandon Hancock, J.D., CMMC-RPPublished June 14, 2026Updated June 15, 20265 min read

*The cyber-incident reporting rule that will reach far beyond DoD contractors is not finished yet. CISA just gave the defense industrial base a narrow, dated window to shape how heavy it lands.*

Before it locks in the long-awaited CIRCIA reporting rule, CISA has reopened the door to stakeholder input — and the defense industrial base has a specifically scheduled session on Thursday, June 18, 2026. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 will require covered entities to report substantial cyber incidents within 72 hours and ransom payments within 24 hours. Many government contractors will fall inside the "covered entity" definition, which is exactly why the current moment matters: this is a time-boxed chance to influence the rule's scope and burden before the text is finalized.

What CISA Announced

In a May 26, 2026 Federal Register notice, CISA published a revised schedule of virtual town hall meetings on the CIRCIA rulemaking. The sessions run across the week of June 15: a general session on Monday, June 15; critical-infrastructure Grouping A on Tuesday, June 16; a second general session on Wednesday, June 17; and critical-infrastructure Grouping B on Thursday, June 18. The defense industrial base sits in Grouping B — alongside chemical, commercial facilities, critical manufacturing, energy, financial services, information technology, and nuclear sectors.

These meetings replace town halls originally planned for March and April 2026 that CISA postponed during a lapse in DHS appropriations. CISA's stated purpose is to give stakeholders a "limited additional opportunity" to refine the scope and burden of the Notice of Proposed Rulemaking it issued back in April 2024. In acting director Nick Andersen's words, the agency wants CIRCIA implemented "with minimal unnecessary burden to entities in critical infrastructure sectors."

Why This Is Distinct From the Rule Itself

We have written before about CIRCIA as the third cyber-reporting clock contractors will run, on top of obligations like DFARS 72-hour reporting. That explainer covers what the rule will require. This is a different development: a procedural reopening of the engagement process, with concrete dates and a defense-industrial-base-specific slot. The rule is not final. The reporting thresholds, the definition of a "covered entity," and the mechanics of harmonizing CIRCIA with existing reporting regimes are all still in play — and CISA is signaling it will listen.

For a contractor, the practical takeaway is that the burden of CIRCIA is not yet fixed in stone. The difference between a workable reporting threshold and a crushing one often comes down to whether affected industries showed up with specific, evidence-based comments during exactly this kind of window.

How to Use the Window

If you may be a covered entity, treat June 18 as a working deadline rather than a webinar. Map your likely CIRCIA exposure now: identify which of your systems and incidents would plausibly trigger the 72-hour and 24-hour clocks, and where those overlap with reporting you already do under DFARS 252.204-7012 or other regimes. Bring the duplication and timing conflicts to CISA's attention — harmonization with existing obligations is precisely the kind of input the agency says it wants. Coordinate through your industry association or prime where possible, because aggregated, sector-specific feedback tends to carry more weight than one-off comments.

Even if you do not participate, use the moment to get ready. Confirm you have an incident-response process that can actually produce a report inside a 72-hour clock, and that your contracts and subcontracts reflect who reports what. Our build-a-program guide and checklists can help you pressure-test that readiness before the rule is final.

Key Takeaways

  • CISA reopened CIRCIA stakeholder engagement with town halls June 15–18, 2026; the defense industrial base is scheduled in Grouping B on June 18, after the original spring sessions were postponed during the DHS funding lapse.
  • CIRCIA will require covered entities — many contractors among them — to report substantial incidents within 72 hours and ransom payments within 24 hours; the scope and burden are still open for input.
  • This is a narrow, dated opportunity to shape the rule, especially on harmonizing CIRCIA with existing reporting like DFARS 7012 — show up prepared or use the time to test your own incident-reporting readiness.

Unsure whether CIRCIA and your other reporting clocks apply to you? Start with Find My Requirements or review the federal statutes page.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Compliance GuidanceDoD's Cyber-Harmonization Deadline Has Passed: What NDAA Section 866 Means for Defense ContractorsNDAA Section 866 required DoD to harmonize and trim defense-industrial-base cyber requirements by June 1, 2026. Relief will roll out gradually, but the security bar stays in place.June 9, 2026 · 6 min readCompliance GuidanceCUI vs. FCI: The Distinction That Sets Your Cybersecurity BurdenTwo acronyms decide how much cybersecurity a federal contract demands of you. Get the FCI-versus-CUI line wrong and you either over-build or — far worse — under-protect data the government expects you to guard.June 8, 2026 · 5 min readCompliance GuidanceThe CISA Cross-Sector Cybersecurity Performance Goals: A Plain-English Baseline for ContractorsCISA's CPGs aren't a regulation, and they won't appear in a contract clause. But they are the clearest free checklist of "what good looks like" for a small contractor — and a smart way to prepare for the binding standards that will.June 8, 2026 · 6 min read