Full Report
Ashden Fein, Micaela McMurrough, Caleb Skeath, and John Webster Leslie of Covington and Burling write: The U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) plans to delay the publication of its much-anticipated cybersecurity incident reporting rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). According to an entry on the Spring 2025 Unified Agenda... Source
Analysis Summary
# Regulation/Compliance: CISA Cyber Incident Reporting Rule (CIRCIA) Delay
## Overview
This summary pertains to the delay in the final publication of the Cybersecurity and Infrastructure Security Agency (CISA) rule mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This rule will establish mandatory reporting requirements for covered entities concerning significant cyber incidents and ransom payments.
## Key Details
- Issuing Authority: U.S. Cybersecurity and Infrastructure Security Agency (CISA)
- Effective Date: **Delayed.** Originally expected to be finalized by October 2025 (18 months after the Proposed Rule in April 2024). CISA now anticipates publishing the Final Rule in **May 2026**, with the effective date occurring after that.
- Jurisdiction: United States.
- Status: **Final Rule Delayed/Pending.** (Notice of Proposed Rulemaking was published April 4, 2024).
## Requirements
### Mandatory Requirements (As defined by the underlying CIRCIA statute, pending Final Rule publication)
1. **Covered Cyber Incident Reporting:** Covered entities must report "covered cyber incidents" to CISA within **72 hours** of discovery.
2. **Ransom Payment Reporting:** Covered entities must report "covered ransom payments" to CISA within **24 hours** of the payment being made.
### Recommended Practices
1. Organizations should closely monitor CISA's updates regarding the Final Rule publication date.
2. Entities should use pre-delay timelines (e.g., preparing for a potential October 2025 deadline) as a proactive measure until the May 2026 expectation is confirmed.
## Affected Organizations
- Industries: Covered entities operating within one of the **16 U.S. critical infrastructure sectors.**
- Organization Size: Not specified in the provided text, but generally applies based on sector designation.
- Geographic Scope: United States.
## Compliance Timeline
- **April 4, 2024:** Notice of Proposed Rulemaking (Proposed Rule) published.
- **October 2025 (Original Expectation):** Final Rule publication deadline based on the 18-month statutory requirement following the Proposed Rule.
- **May 2026 (Current Expectation):** CISA plans to publish the Final Rule.
- **Post-May 2026 (Estimated):** Final Rule takes effect, initiating mandatory reporting obligations.
## Implementation Guidance
### Assessment Phase
- Identify if the organization falls under one of the 16 critical infrastructure sectors defined by CISA.
- Review existing incident response plans against the anticipated 72-hour (incident) and 24-hour (ransom payment) reporting windows.
### Implementation Phase
- Develop clear internal procedures for timely discovery identification.
- Define the specific data points required for reporting "covered cyber incidents" and "covered ransom payments" as outlined in the forthcoming Final Rule.
### Validation Phase
- Conduct tabletop exercises simulating a covered incident to test the 72-hour reporting process compliance.
## Technical Requirements
Specific technical controls are derived from the Final Rule once published. The core requirement revolves around timely internal detection and documentation sufficient to file the mandatory reports within the prescribed timeframes.
## Penalties & Enforcement
The provided text **does not detail** the specific fines or enforcement mechanisms CISA plans to implement under the Final Rule for non-compliance with CIRCIA reporting mandates. (Note: CIRCIA itself grants CISA authorities to enforce reporting).
## Related Standards
- **CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022):** The underlying enabling legislation.
- **CISA Guidance:** Organizations should track CISA public statements and subsequent guidance issued following the Final Rule publication for alignment with other security standards (e.g., NIST Cybersecurity Framework, though specific alignment is not detailed here).
## Resources
- Official Documentation: Entry in the Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions (RIN: 1670-AA04).
- Guidance Documents: Previous CISA blog posts regarding the Proposed Rule (April 4, 2024).
- Tools: Not specified in the source article.
## Practical Recommendations
1. Critical Infrastructure entities should confirm their sector membership and monitor CISA communications closely for the upcoming May 2026 Final Rule release.
2. Begin drafting internal communication protocols and decision-making matrices now to ensure incident identification and required reporting can be executed within 72 hours for incidents and 24 hours for payments once the rule becomes effective.