CIRCIA Incident Reporting: What Critical Infrastructure Owes CISA in 2026

# CIRCIA incident reporting: what critical infrastructure owes CISA in 2026

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 took nearly three years to become an operative regulation. CISA published the final rule in late 2025 after an extended comment period that attracted over 1,000 responses. The rule lives at 6 CFR Part 226. It is now law, with phased applicability starting in 2026.

For covered entities, CIRCIA imposes two mandatory reporting obligations that cannot be negotiated away. A 72-hour deadline to report a "covered cyber incident" and a 24-hour deadline to report a ransom payment. The penalties for non-compliance are civil, but CIRCIA is also paired with criminal referral authority if a covered entity knowingly files a false report.

This post is the full walkthrough. The statutory background, the definitions that determine whether you are covered, the incident-reporting clock, the report content, the safe-harbor provisions, and the practical incident response playbook adjustments needed to meet the deadlines. Written for security and IR leads at covered entities who need to execute against the rule, not abstract policy readers.

#The statutory background

CIRCIA was enacted in March 2022 as part of the Consolidated Appropriations Act. The statute gave CISA rulemaking authority to implement the reporting requirements. The proposed rule published in April 2024 drew significant industry pushback on scope, thresholds, and cost estimates. The final rule, published late 2025 at 6 CFR Part 226, narrowed some definitions from the proposal, preserved the 72-hour and 24-hour clocks, and set implementation dates in 2026.

The policy intent behind CIRCIA is visibility. Before CIRCIA, federal agencies had fragmented views of incidents across sectors. The FBI saw what it saw through voluntary reports. CISA saw what it saw through Einstein and sector-specific relationships. SEC required public company disclosure under different timelines. Treasury had OFAC-driven visibility for ransomware. None of these had a unified picture. CIRCIA forces critical infrastructure into a single reporting channel (CIRCIA reports flow to CISA) which CISA is then required to share, with safeguards, with FBI, the sector risk management agencies, and other federal partners.

CIRCIA does not preempt state breach notification laws, SEC disclosure requirements, HHS HIPAA notifications, or any sector-specific federal requirements. It stacks on top of them. For a healthcare covered entity that suffers a ransomware incident with PHI exposure, CIRCIA, HIPAA Breach Notification, and state breach laws all attach simultaneously.

#Who is a "covered entity" under CIRCIA

Covered entities are defined as entities in one of the 16 critical infrastructure sectors (as set out in Presidential Policy Directive 21) that meet either a size threshold or a sector-specific criticality threshold.

The 16 sectors:

1. Chemical
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Defense Industrial Base
7. Emergency Services
8. Energy
9. Financial Services
10. Food and Agriculture
11. Government Facilities
12. Healthcare and Public Health
13. Information Technology
14. Nuclear Reactors, Materials, and Waste
15. Transportation Systems
16. Water and Wastewater Systems

Within those sectors, the final rule applies CIRCIA to:

Size-based covered entities: entities in one of the 16 sectors that exceed the SBA small-business size standard for their primary NAICS code. The SBA small-business thresholds vary by industry; typical cutoffs are 500 employees or $10-40 million in revenue. Entities smaller than the SBA threshold in their NAICS code are not size-based covered entities.

Sector-based covered entities (always covered regardless of size): these are defined sector by sector in the final rule. Selected examples:

• Communications: telecommunications carriers providing voice or internet services, domain name system operators, submarine cable operators.
• Critical Manufacturing: entities producing primary metals, machinery, electrical equipment and components, or transportation equipment at scale.
• Defense Industrial Base: any contractor or subcontractor that has a CMMC or DFARS 252.204-7012 flow-down and processes controlled unclassified information.
• Emergency Services: 911 centers (PSAPs), emergency medical services that operate under state licensure, fire departments serving populations over a threshold.
• Energy: bulk power system entities regulated by NERC CIP, natural gas pipeline operators, LNG facility operators.
• Financial Services: entities subject to the Gramm-Leach-Bliley Act and the GLBA Safeguards Rule, DTC-eligible securities settlement entities, SWIFT members.
• Government Facilities: state/local/tribal/territorial entities that operate critical election infrastructure or water systems.
• Healthcare and Public Health: HIPAA covered entities that are hospitals or health systems serving specified populations, FDA-registered manufacturers of life-supporting medical devices, blood/tissue centers.
• Information Technology: IaaS and PaaS providers meeting revenue thresholds, managed service providers (MSPs) serving covered entities, domain registrars/registries.
• Nuclear: NRC-licensed operators.
• Transportation Systems: Part 139 airports, Class I railroads, major ports, TSA-regulated pipeline operators, hazmat motor carriers.
• Water and Wastewater Systems: drinking water systems serving more than 3,300 population; wastewater utilities serving more than 3,300.

An organization may be covered under one or both pathways. If you are a large IT MSP that services a healthcare client, you are covered as an MSP (sector-based) regardless of your own size.

#The "covered cyber incident" definition

A "covered cyber incident" under CIRCIA is a substantial cyber incident that meets at least one of four impact criteria:

1. Substantial loss of confidentiality, integrity, or availability of an information system or network, OR
2. Serious impact on the safety and resiliency of operational systems and processes, OR
3. Disruption of the ability to engage in business or industrial operations, or delivery of goods or services, OR
4. Unauthorized access, facilitated through or caused by (a) a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; (b) a supply chain compromise; (c) a denial-of-service attack that substantially disrupts availability.

The term "substantial" was the focus of much of the rulemaking dispute. The final rule clarifies that substantial means material to the covered entity's operations, considering factors like the scope of systems affected, duration of the impact, nature of the data implicated, and operational consequences. A brief password spray with no successful logins is not substantial. A ransomware incident that encrypts a single workstation with recoverable data is not substantial. A successful phishing that results in a threat actor gaining access to production systems is substantial even if no data has been confirmed exfiltrated.

Importantly, the rule's language is "cyber incident that leads to" these impacts. The impact must be actual or reasonably believed to be occurring. A phishing attempt that the user caught before compromise is not a covered cyber incident. A business email compromise where the attacker obtained access to the CFO's mailbox is a covered cyber incident once discovered.

#The ransom payment reporting obligation

A separate and narrower category: if a covered entity makes a ransom payment in response to a ransomware attack, a ransom payment report is required within 24 hours of the payment.

This obligation is independent of whether the incident itself qualifies as a covered cyber incident. Any ransom payment by a covered entity in response to a ransomware attack triggers the 24-hour clock.

The ransom payment report is different in scope from the covered cyber incident report. It focuses on the payment details: amount, virtual currency type if applicable, payment date, recipient wallet or account information, and the ransomware variant if known.

If the ransomware incident is itself a covered cyber incident (usually it is, because ransomware meets the impact thresholds), both a 72-hour covered cyber incident report and a 24-hour ransom payment report are required. The covered entity can combine them in a single report that covers both obligations if timing allows.

#The 72-hour clock: when it starts

CIRCIA's covered cyber incident report is due within 72 hours from when the covered entity reasonably believes a covered cyber incident has occurred.

"Reasonably believes" is the operative phrase. It is not 72 hours from confirmed diagnosis with full root cause analysis. It is 72 hours from the reasonable belief that a substantial incident has occurred.

In practice, this means the clock can start at the moment the IR lead or designated incident manager concludes that the incident is substantial, based on the facts available at that time. If an SOC analyst flags suspicious lateral movement and the IR manager confirms that the movement likely indicates a compromise of production systems, the clock starts then, not when forensics confirms root cause days later.

The final rule provides some flexibility for early uncertainty. An entity that reports in good faith based on reasonable belief is not penalized if subsequent investigation reveals the event was less significant than initially believed. The safe harbor for good-faith reporting is narrow but real.

The report is not a final forensic report. It is an initial notification with the facts reasonably available at the 72-hour mark. Supplemental reports are required if new material information develops.

#Report contents

A CIRCIA covered cyber incident report must include, to the extent the information is available:

• Identity of the covered entity and the point of contact for the incident response.
• Description of the incident, including date and time of detection, nature of the incident (ransomware, data exfiltration, unauthorized access, DoS, supply chain), systems affected, and any known or suspected threat actor information.
• Impact assessment: operational, data, safety, financial to the extent known.
• Indicators of compromise (IOCs): file hashes, IP addresses, domain names, malware family, TTPs. As much technical detail as is available.
• Technical information including network diagrams, affected system types, security tools that detected the incident.
• Response actions taken to date and planned next steps.
• Third parties involved: IR firms, legal counsel, other federal notifications made, insurance claims filed.
• Whether a ransom demand has been made and the demand amount, if known.

Supplemental reports are required promptly when substantial new information becomes available. The rule anticipates multiple supplemental reports for a complex incident as the investigation progresses.

Ransom payment reports are more structured. Required fields include the approximate payment date and time, the amount and currency, the method of payment (wire, virtual currency, other), the recipient wallet address or account information, the ransomware variant, and any communication records with the threat actor to the extent they can be shared.

#How to submit a report

Reports are submitted to CISA through a web-based reporting portal. The portal accepts structured submissions (required fields plus free-form narrative) and allows supplemental submissions against an existing case number. A phone-based backup path exists for entities whose IR environment prevents use of the web portal.

CISA also accepts reports submitted to third-party channels that it recognizes as functionally equivalent (certain ISACs that have agreements with CISA, and certain sector regulators that have MOUs for simultaneous reporting). The final rule lists the recognized equivalent channels and the conditions under which those submissions satisfy CIRCIA.

#Safe harbor provisions

CIRCIA includes several protections designed to encourage full and honest reporting:

Discovery protection: information contained in a CIRCIA report, and any information derived from it, is protected from disclosure in state, federal, or civil litigation. It cannot be obtained through civil discovery, subpoena, or FOIA from the federal agencies receiving the report. This is a substantial protection that does not exist for SEC 8-K filings or state breach notifications.

Regulatory use limitations: a federal agency that receives a CIRCIA report from CISA cannot use the information as the basis for an enforcement action against the reporting entity. Information is shared for situational awareness and threat intelligence purposes, not regulatory enforcement. There are carveouts: information indicating imminent harm or criminal activity may be used for emergency response or criminal investigation purposes.

Liability shields: an entity that files a CIRCIA report in good faith is shielded from civil liability for the act of reporting itself. This does not shield the entity from liability for the underlying incident (breach-of-contract claims, negligence claims for the breach itself). It shields only the reporting act.

Privileged communications: CIRCIA reports filed through outside counsel do not waive attorney-client privilege or work product protection over the underlying investigation. This is a significant clarification that addresses one of the early concerns about CIRCIA chilling investigation documentation.

The safe harbor is the central reason CIRCIA is more tolerable than it initially appeared. An entity can report early and fully, knowing the information cannot be used against it in downstream litigation.

#Interaction with other federal reporting obligations

CIRCIA sits in a crowded reporting landscape. The final rule addresses overlaps with:

SEC 8-K material cybersecurity incidents: public companies that are also CIRCIA covered entities must satisfy both. The SEC's four-business-day materiality-based disclosure and CIRCIA's 72-hour substantial-incident clock have different triggers and different standards. Practice is converging on a single internal incident-severity classification that feeds into both processes, with legal counsel making simultaneous materiality determinations.

HIPAA Breach Notification (45 CFR Parts 160 and 164): healthcare covered entities that are also CIRCIA covered entities report the cybersecurity incident to CISA under CIRCIA within 72 hours, separately make HIPAA-mandated notifications to HHS/affected individuals within 60 days for breaches affecting 500+ individuals, and report to media for large breaches as HIPAA requires.

NERC CIP incident reporting: electricity sector entities subject to CIP-008 already report to E-ISAC. Most of these are also CIRCIA covered entities. CISA has MOUs with NERC and E-ISAC to allow simultaneous submission.

TSA Security Directives (pipelines, rail, aviation): TSA requires 24-hour incident reporting under its security directives. CIRCIA reporting does not satisfy the TSA obligation. Covered transportation entities must report to both.

Coast Guard NVIC 01-20 (maritime): maritime CISA covered entities also report to the Coast Guard.

FBI voluntary reporting: CIRCIA does not replace FBI notification. Most covered entities will still notify FBI, particularly for ransomware. FBI notification is often necessary for law enforcement cooperation on attribution or threat actor disruption, which CIRCIA reporting does not provide.

State breach notification laws: CIRCIA does not preempt state breach laws. All 50 states plus DC have some form of breach notification. Those laws remain in force; CIRCIA is additive.

Defense Department DFARS 252.204-7012: DIB contractors must report within 72 hours to DOD via DIBNet. Those reports do not satisfy CIRCIA; CIRCIA is a separate report. In many cases, DIB contractors are filing substantially the same information to two different federal portals.

OFAC sanctions: if a ransom payment would be made to a sanctioned entity or jurisdiction, OFAC disclosure and licensing are separate requirements that CIRCIA does not affect.

The final rule committed CISA to work toward "single submission" paths where multiple federal agencies would receive a single submission and the CIRCIA obligation would be satisfied. As of early 2026, this is aspirational; most covered entities still file multiple reports through multiple portals.

#The first 24 hours: practical runbook

The implementation challenge for most covered entities is integrating CIRCIA reporting into incident response within a clock that runs while IR is still doing initial triage. The specific runbook adjustments:

#Hour 0 to 2: detection and initial classification

The SOC or IR team declares an incident. The incident manager assesses whether the event meets the "covered cyber incident" substantial-impact threshold. If the answer is unclear, the presumption should lean toward yes; CIRCIA anticipates early reporting with supplemental updates.

Designate the CIRCIA reporting lead. This is typically the CISO or deputy CISO or a named incident manager. The reporting lead is responsible for the 72-hour clock.

Open a case record with: date/time of detection, date/time CIRCIA clock started, assigned reporting lead, incident description, affected systems.

#Hour 2 to 8: initial containment and evidence preservation

Standard IR activities (isolation, credential rotation, log preservation) continue. In parallel, the CIRCIA reporting lead begins drafting the initial report with facts reasonably available:

• Who the covered entity is (pre-filled template).
• Point of contact (reporting lead).
• Nature of the incident (what we think happened, based on current evidence).
• Systems affected (as known).
• Detection method.
• Initial IOCs (file hashes, IP addresses, process names from EDR).
• Any known attacker communication or ransom demand.

The draft lives in the IR case management system with access restricted to legal, executive, and the named IR team. Outside counsel review before submission.

#Hour 8 to 24: continuing investigation

Initial forensic findings come in. The report draft updates with new information. Legal counsel and executives approve the submission plan.

If the incident involves a ransom payment under consideration:

• Engage OFAC counsel immediately.
• Notify the cyber insurance carrier.
• Prepare the parallel ransom payment report (due 24 hours after payment, if made).
• Document the payment analysis including attribution if available.

#Hour 24 to 48: parallel reporting workflows

If the incident triggers SEC materiality, begin the SEC 8-K determination in parallel. If HIPAA applies, initiate that workflow. If state breach notification laws apply (based on affected residents), engage state counsel for those notifications. If sector-specific reporting applies (NERC CIP, TSA, DFARS), file those reports on their own clocks.

#Hour 48 to 72: CIRCIA report submission

Final legal review. Executive approval. Submit through the CISA portal. Document submission confirmation. Assign the CIRCIA case number to the internal IR case record.

#Post-72 hours: supplemental reporting

Subsequent investigation typically produces new material information: root cause, additional affected systems, data exfiltration confirmation, attribution, full IOC set. Each material update triggers a supplemental report. Track these in the IR case record.

#Common ambiguities and how organizations are interpreting them

Four areas have been the subject of ongoing interpretive uncertainty:

Third-party incidents. If a CISA-covered entity's SaaS vendor suffers a breach and the covered entity's data is exposed, is that a covered cyber incident for the covered entity? The rule's language includes "unauthorized access facilitated through a compromise of a cloud service provider or other third-party data hosting provider." So yes, in most interpretations. The covered entity's 72-hour clock starts when it reasonably believes the third-party compromise has impacted its systems.

Ransomware with no payment. A covered entity is hit with ransomware, the backups hold up, no payment is made, operations are restored in 48 hours. Is a CIRCIA report still required? Yes, if the incident is substantial (which ransomware that encrypts production systems almost always is). The 72-hour covered cyber incident report is independent of any ransom payment decision.

Attempted-but-unsuccessful incidents. A phishing email is sent to the CEO, the CEO did not click, the email was detected and deleted. Is that a covered cyber incident? No. CIRCIA requires an actual substantial incident, not an attempted one. Intrusion attempts that did not succeed do not qualify.

Pre-rule incidents. The final rule clarifies that CIRCIA applies to covered cyber incidents occurring on or after the applicability date for each category of covered entity. Pre-rule incidents do not need to be retroactively reported.

#Penalties for non-compliance

CIRCIA civil enforcement works as follows:

1. CISA identifies a covered entity that it believes failed to report. Identification usually happens because the incident becomes publicly known through other channels (media, SEC filing, state breach notification) without a corresponding CIRCIA report.

1. CISA issues a Request for Information (RFI) asking the entity to explain whether a report was required and, if so, why one was not filed.

1. If the entity does not respond or the response is unsatisfactory, CISA may issue a subpoena compelling the entity to produce information about the incident.

1. Non-compliance with a CISA subpoena can be referred to the Department of Justice for enforcement. DOJ may seek a court order compelling production or imposing civil penalties.

Maximum civil penalties under the final rule: up to $25,000 per violation per day, capped at a per-incident maximum. Penalties stack if multiple violations occur.

A separate criminal referral pathway exists if a covered entity knowingly files a false report or knowingly obstructs an investigation. This is rarely used but its existence is a real consideration.

In practice through early 2026, CISA has signaled it will prioritize education and cooperative enforcement over punishment in the first year of applicability. That posture will not last forever. A covered entity that skips reporting, gets caught later, and argues "we weren't sure if it applied" will find less sympathy in year two.

#What this means for incident response programs

CIRCIA changes incident response in four concrete ways for covered entities:

1. The 72-hour and 24-hour clocks force structured IR communication. Ad hoc "we'll report when we know more" is no longer tenable. Reporting has to happen on the clock based on what is reasonably known.

1. Outside counsel engagement has to be faster. The first 24 hours now include a federal reporting workstream in parallel with investigation, insurance, and operational restoration. Counsel needs to be engaged at hour zero.

1. Incident severity frameworks need CIRCIA alignment. The internal severity taxonomy (Sev 1, Sev 2) should explicitly include a "CIRCIA-reportable" flag that triggers the reporting workflow.

1. Supplemental reporting creates ongoing IR documentation discipline. The case record is no longer just an internal artifact. It generates federal submissions. That changes how the IR team writes and reviews incident notes.

Most covered entities that already have mature IR programs can integrate CIRCIA with six to eight weeks of program work. Covered entities without mature IR programs (which is most covered entities below the Fortune 1000 line) have a bigger gap. Building a CIRCIA-compliant IR workflow is a meaningful program investment.

#What this means for organizations not covered by CIRCIA

Organizations outside the 16 critical infrastructure sectors, or below the SBA size threshold, are not obligated to file CIRCIA reports. But CIRCIA still affects them:

• Their CISA-covered vendors and customers will ask for incident reporting commitments that mirror CIRCIA (72-hour notification) in contracts.
• Voluntary CIRCIA-aligned reporting may become an expectation in cyber insurance underwriting.
• The federal threat intelligence that CIRCIA produces will filter back down through CISA advisories, ISACs, and sector guidance. Non-covered entities benefit indirectly.

For SMBs that do not qualify as covered entities, the lesson is to build IR processes that could be CIRCIA-compliant if the threshold ever reaches you. Many state-level laws and sector guidance are converging on 72-hour reporting as the norm.

#What Valtik sees in CIRCIA-readiness assessments

The most common gaps in covered-entity readiness:

• No designated CIRCIA reporting lead. Most IR teams have a technical IR lead and a crisis communications lead. A named CIRCIA reporting lead with authority to draft and submit is often missing.
• No pre-drafted report template. Having the static fields (entity identity, POC, pre-filled ICS information) ready reduces the 72-hour burden substantially.
• Integration gaps between IR tools and reporting workflow. EDR produces IOCs; ticketing systems hold case notes; the CIRCIA report needs both. Manual re-typing across systems adds hours.
• Undefined criteria for "substantial" at the enterprise level. IR severity frameworks need explicit mapping to CIRCIA's substantial-incident criteria.
• Outside counsel engagement that starts at day three. The 72-hour clock means counsel needs to be engaged before the team has full clarity on the incident.

If your organization is a CIRCIA covered entity and you have not run a tabletop specifically testing the 72-hour reporting workflow, that is the most time-efficient gap to close.

#Sources

1. CIRCIA Final Rule. 6 CFR Part 226. Cybersecurity and Infrastructure Security Agency
2. Cyber Incident Reporting for Critical Infrastructure Act of 2022. Statutory Text
3. Presidential Policy Directive 21. Critical Infrastructure Security and Resilience
4. SEC Cybersecurity Disclosure Rules. Form 8-K Item 1.05
5. DFARS 252.204-7012 Safeguarding Covered Defense Information
6. HIPAA Breach Notification Rule. 45 CFR Parts 160 and 164
7. NERC CIP-008 Cybersecurity Incident Reporting and Response Planning
8. CISA StopRansomware guidance