The Cybersecurity and Infrastructure Security Agency is resuming public discussions on postponed cyber incident reporting regulations that are expected to impact tens of thousands of critical infrastructure organizations.
These sessions are taking place as CISA faces growing pressure to finalize the rules swiftly, while certain legislators and industry associations are urging the agency to revise the proposed regulations to make them less extensive and less onerous.
Beginning Monday, CISA will hold a series of online town halls to gather input on the proposed regulations designed to carry out the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The sessions will continue through Wednesday.
CISA had originally scheduled these meetings for this spring, but they were postponed because of the partial government shutdown.
In a keynote speech at a June 9 conference organized by Axonius in Washington, acting CISA Director Nick Andersen stated that CIRCIA reporting will be part of a “nationwide transformation” in how the government assesses cyber risks and threats.
“We need your meaningful feedback to make this as effective as possible,” Andersen said.
The reporting requirements will span 16 critical infrastructure sectors, including electric utilities and water systems to hospitals and chemical plants. Under the regulations, affected organizations will be required to report cyber incidents to CISA within 72 hours and ransomware payments within 24 hours.
Congress enacted the law in response to increasing cyber attacks on critical infrastructure, particularly the 2021 Colonial Pipeline ransomware attack.
CISA says the incident reports will enable it to “quickly deploy resources and provide assistance to victims experiencing attacks, examine incoming reports across sectors to identify patterns, and rapidly share that information with network defenders to alert other potential targets.”
However, the 2024 draft CIRCIA regulations released under the Biden administration have faced criticism for being too broad, potentially covering an estimated 300,000 organizations, and unclear in how they define a cyber incident that must be reported to CISA.
The rules have also been faulted for conflicting with numerous sector-specific cyber reporting requirements. Officials have indicated that CISA will create information-sharing agreements with other agencies to minimize duplication, but there has been limited information about the progress of those agreements.
Last year, the Trump administration paused implementation of the rules to collect additional input.
At a June 10 event hosted by the Homeland Security Defense Forum in Washington, House Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.) said he was pleased the administration ultimately postponed CIRCIA. He described the proposed rules as “not good.”
“We were so relieved to have it completed and then suddenly, it’s not what we intended,” Garbarino said. “So ensuring that it matches what we intended … because there were so many reporting requirements already in place. We wanted this to be the one, not just another one. So getting it right is extremely important to me.”
But other legislators are pushing CISA to finalize the rule quickly.
In their report on the fiscal 2027 homeland security spending bill, members of the GOP-led House Appropriations Committee wrote that the panel is “concerned about delays in issuing the final CIRCIA rule and urged CISA to complete it promptly after stakeholder review and feedback.”
The report instructs CISA to update the committee on its CIRCIA plans as part of quarterly budget and staffing updates.
When asked by a reporter following his keynote at Axonius, Andersen said he does not have a specific timeline in mind for finalizing CIRCIA.
“I don’t want to assume the volume and the nature of comments that we’re going to receive from the town halls,” Andersen said. “We could receive many comments that fundamentally change our perspective on what the need is here, but our focus is simply on what was the original congressional intent behind CIRCIA. What is the greatest need that we’re going to be able to address, and how is it going to advance the mission that we have for the nation, but at this time, I don’t have a specific date to provide you for finalization.”
The regulations represent the first that CISA has developed. The cyber agency, established in 2018, has mainly depended on voluntary partnerships with the private sector.
Another crucial question is how efficiently and effectively CISA will be able to handle the large volume of cyber incident reports from across various sectors.
CISA’s fiscal 2027 budget request outlines how the agency is developing an “unclassified ticketing system with role-based access controls” to help manage CIRCIA. The system will enable “integration with other tools in a unified ecosystem, preparing CISA to securely receive, aggregate, analyze, enrich, and share information from reports,” the budget request states.
CISA is also building a new “public-facing web portal” for organizations to submit CIRCIA reports, according to the budget request.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
