Skip to main content
govconCyber — Federal Cybersecurity Law Reference

Research

CIRCIA Watch for Government Contractors

The CISA cyber incident reporting rule is coming but not yet final. What CIRCIA will require, where the rulemaking stands, and what contractors should do to prepare. Updated as the rule advances.

On this page
  1. What CIRCIA Is
  2. Where the Rulemaking Stands
  3. What It Is Expected to Require
  4. What Contractors Should Do Now
  5. Source Notes

Status as of the review date below — CIRCIA''s final rule is pending, not yet in effect. This is a "watch and prepare" item. Confirm current status before relying on any timeline.

What CIRCIA Is

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) directs CISA to require covered entities to report significant cyber incidents and ransomware payments. It is a new, separate reporting regime — distinct from DFARS 252.204-7012''s 72-hour reporting to DoD, from agency-specific clauses, and from state breach-notification laws.

Where the Rulemaking Stands

CISA issued a proposed rule (NPRM) in 2024 and, after a large volume of public comment, has been working toward a final rule. As of mid-2026 the final rule remains pending — most recently targeted for around May 2026 — and CISA has signaled that the timeline can slip (including due to appropriations lapses) and that it is working to streamline and reduce the reporting burden from the proposed version. Until the final rule takes effect, CIRCIA''s specific obligations are not yet binding.

What It Is Expected to Require

Based on the statute and the proposed rule, once effective CIRCIA is expected to require covered entities to report:

  • a covered cyber incident within 72 hours of reasonably believing it occurred; and
  • a ransomware payment within 24 hours of making it.

"Covered entity" and "covered cyber incident" are defined by the rule; many government contractors that operate in or support critical-infrastructure sectors are likely to fall within scope.

What Contractors Should Do Now

  • Map your existing reporting duties first — DFARS, agency clauses, and state breach laws already apply. See Cyber Incident Reporting Beyond DFARS.
  • Build an incident-response plan that can answer, at detection: what data, which contracts/regulators, what is the shortest clock? — so a future 24/72-hour CIRCIA duty slots in without scrambling.
  • Watch for the final rule and its effective date before treating CIRCIA''s specific timelines as live obligations.

Source Notes

Primary sources: the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and CISA''s CIRCIA rulemaking materials (NPRM and subsequent notices). Status is summarized as of the review date and is subject to change. Educational analysis, not legal advice.

Was this page helpful?