In plain terms. CIRCIA requires operators of critical infrastructure to tell the federal government when they suffer a serious cyber incident or pay a ransom, so threat information can be shared and acted on quickly.
Who it applies to. "Covered entities" in critical-infrastructure sectors (as defined by Presidential Policy Directive 21). Other organizations are encouraged, but not required, to report voluntarily.
What it requires.
- Report a covered cyber incident to CISA within 72 hours.
- Report a ransom payment within 24 hours.
- Keep reporting updates until the incident is resolved (an ongoing obligation).
- Entities may use third parties — incident-response firms, law firms, or cyber insurers — to file on their behalf.
Why it matters. CISA can issue a subpoena to a covered entity that fails to report. To encourage candor, reports submitted under CIRCIA cannot be used for regulatory enforcement or as evidence in a government proceeding. The Act also created a Cyber Incident Reporting Council to harmonize overlapping federal reporting rules and a Joint Ransomware Task Force.
Citation. Pub. L. 117-103 (Mar. 15, 2022); 6 U.S.C. ch. 1, subch. XVIII, pt. D. Implementing rule: 6 C.F.R. Part 226 (Covered Cyber Incident and Ransom Payment Reporting).
CISA CIRCIA rulemaking (NPRM April 2024; final rule expected 2026). Reporting is in addition to contract clauses such as DFARS 252.204-7012 — one incident can trigger several reports.