SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What is the CISA Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)?

Cybersecurity Assessments

Back in March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law as yet another regulation aiming to enhance federal cybersecurity by requiring critical infrastructure entities to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA). Two years later, on April 4, 2024, CISA published its proposed rule to codify CIRCIA’s specific mandates, which are expected to take effect in 2026.

Given that, under CIRCIA, entities that fall within its definition of "critical infrastructure" will need to comply with these new requirements, any head start will help, and that’s where we can offer some assistance. As highly experienced cybersecurity experts and assessors, we have been well-entrenched in the related federal scene for years, and after reviewing the Act and the Proposed Rule, we can provide some important insight.

In this blog post, we’ll overview the CISA CIRCIA—including a synopsis of the expected reporting requirements—before getting into the areas of your cybersecurity that you’ll want to shore up in anticipation of those requirements. After reading, you should have a solid launch point in getting ready for the effective date of CIRCIA.

 

An Overview of the CISA CIRCIA

 

Over the last few years, CISA has been working to harmonize new cyber incident reporting rules and establish information-sharing agreements with other federal agencies to streamline the reporting process. Now, we have CIRCIA to show for it.

The act—and its proposed rule—mandates the reporting of:

  • Cyber incidents within 72 hours after a covered entity reasonably believes that the incident has occurred; and
  • Ransomware payments within 24 hours (unless the payment is accompanied by an incident, in which case the organization has 72 hours to report).

Covered entities under CIRCIA are those deemed “critical infrastructure”—or those deemed vital to America’s security, economy, public health, and safety—and include organizations in these sectors, among others:

  • Energy
  • Financial services
  • Healthcare and public health
  • Information technology
  • Transportation systems
  • Water and wastewater systems
  • Communications
  • Chemical
  • Defense Industrial Base
  • Food and agriculture

CIRCIA also contains provisions for cyber incidents that originate from third-party vendors and affect the operations of covered entities—depending on the nature of the incident and its impact on the critical covered entity, these incidents should also be reported to CISA within 72 hours. To be clear, the responsibility of communicating incidents falls on the shoulders of the covered entities themselves—they are the ones who must report cyber incidents to CISA within 72 hours after a cyber incident has occurred.

While CIRCIA does not (yet) include specific direction for determining whether an incident is reportable or not, some basic criteria could include if the issue creates:

  • A significant impact on operations,e., service outages, major slowdowns, or an inability to meet critical operational requirements
  • A compromise of sensitive information,e., data breaches involving personal information, trade secrets, or critical infrastructure plans
  • A threat to public safety or national security, i.e. attacks on systems that control physical infrastructure like power grids, transportation systems, or water supplies
  • Cascading effects, e.g., an incident at a software vendor that provides services to multiple critical infrastructure operators could have a wider fallout

 

What are the CISA CIRCIA Reporting Requirements?

 

If you determine an incident is in fact reportable, in making that report, the Act mandates that you must communicate specific information, which includes (but is not limited to):

  • An overview of your organization
  • A description of the affected functions
  • Technical details of the networks or devices
  • Vulnerabilities exploited
  • Categories of information that were accessed
  • Relevant dates
  • Your security protocols
  • The impact of the incident on operations
  • Indicators of compromise
  • A description of the type of incident and tactics
  • Identifying information about the attacker
  • A description of any mitigation and response activities
  • Identification of any law enforcement responding to the incident
  • Whether another entity assisted you in responding to the covered cyber incident

When submitting your comprehensive report to CISA, you must do so in a manner that allows the agency to receive the report in a substantially similar timeframe to that which you would otherwise have been obligated to provide the report to CISA pursuant to CIRCIA.

What’s more is, if your organization is contracted to provide services to the federal government, you must also report the incident to your federal agency partner, as well as CISA. CISA and the federal agency to which the covered entity submits the report must have an information-sharing agreement in place that satisfies the requirements of 6 U.S.C.

 

How to Comply with the CISA CIRCIA Requirements

 

While we can’t advise you on specifics—given that the final rule has yet to be published—the following is a list of policies, procedures, and controls that, upon implementation, will likely help mitigate the risk of non-compliance with CIRCIA to a level of reasonable assurance:

  • Incident Response Plan: Establish robust policies and procedures for identifying, reporting, and mitigating cyber incidents should they occur, as well as roles and responsibilities for each team member. (This plan should also be communicated to staff.)
  • Regular Awareness Training: Implement regular cybersecurity training and awareness programs for all employees to educate them regarding the importance of reporting incidents and how to identify potential threats.
  • Monitoring and Logging Controls: Implementing these measures will help your organization detect any unusual or suspicious activity that could indicate a cyber incident while also creating an archive that will allow the performance of the necessary due diligence and forensic analysis in the case of a cyber incident.
  • Access Controls: Limiting the number of employees who have access to sensitive data and systems will help block unauthorized access and reduce the risk of a cyber incident.
  • Patch Management: Establish a patch management program to ensure that all systems and software are up to date with the latest security patches to aid in preventing vulnerabilities that could be exploited by cyber attackers.
  • Penetration Testing and Vulnerability Assessments: Conduct regular penetration testing and vulnerability assessments to identify any weaknesses in your systems and networks so that you can proactively address any areas that need to be strengthened to prevent a cyber incident.
  • Incident Reporting Procedures: Develop clear and concise incident reporting procedures that outline the steps to take when a cyber incident occurs—these should be designed in line with CIRCIA regulations.
  • Third-Party Risk Management (TPRM): Establish a TPRM program that assesses the cybersecurity risks posed by your vendors and partners so that you can identify and mitigate potential vulnerabilities in your supply chain.
  • Data Backup and Recovery: Implement a plan to ensure that critical data is backed up regularly and can be quickly restored in the event of a cyber incident.
  • Compliance Monitoring: Regularly monitor your compliance with CIRCIA regulations so that, should your organization fall out of compliance, you can take steps to re-satisfy the Act’s requirements in full.

(NOTE: This list is not meant to be all-inclusive, and there could be other pertinent areas that you must address, which will become clearer upon the publication of the final rule.)

 

Early Next Steps for Compliance with CIRCIA

 

Overall, CIRCIA aims to improve the government's understanding of cyber threats and enable better incident response and prevention measures for covered critical infrastructure entities. While we all wait for the final rule and its requirements, those covered under the Act’s provisions shouldn’t wait to get started in making the necessary changes for compliance.

And while this article provides a high-level baseline on where to start, you may want to take your preparation a step further. As such, Schellman is preparing readiness assessment procedures that may be the right solution for your covered organization in that you would receive our expert feedback on your overall preparedness and any identified gaps in your incident reporting procedures, controls, and mechanisms in place, as well as those in any supporting controls designed to mitigate the risk of non-compliance with CISA’s CIRCIA reporting rules (as mentioned above).

Our service will follow the up-to-date CIRCIA rules—as we will adapt our procedures to any future changes—ahead of the final rule posting and launch of reporting requirements by the end of 2025. If you’re interested in learning more about how we can help with your CIRCIA compliance, contact us today.