Skip to main content

Cyber Incident Reporting for Critical Infrastructure Act of 2022

CIRCIA is a US law requiring critical infrastructure entities to report major cyber incidents within 72 hours and ransom payments within 24 hours to CISA. It aims to improve national threat visibility and response.

Jurisdiction
United States

What CIRCIA Is and Why It Exists

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is a United States federal law signed in March 2022. It directs the Cybersecurity and Infrastructure Security Agency (CISA) to develop rules requiring covered entities in critical infrastructure sectors to report significant cyber incidents and ransomware payments. The goal is to give the federal government earlier, fuller visibility into attacks so it can warn other potential victims, support response, and analyze trends across sectors.

CIRCIA arose from a string of high-impact incidents, including supply-chain compromises and ransomware against pipelines and food producers, where delayed or absent reporting hampered national response.

Who It Applies To

CIRCIA applies to "covered entities" in the 16 critical infrastructure sectors defined by Presidential Policy Directive 21, such as energy, water, healthcare, financial services, communications, and transportation. The precise scope is set by CISA's implementing rule. Entities are generally captured by sector plus size or by sector-specific criteria. Organizations that pay a ransom in response to a ransomware attack on critical infrastructure are also covered, even when they are not otherwise large.

Key Requirements

  • Covered cyber incident reports must be filed with CISA within 72 hours of a reasonable belief that a covered incident has occurred.
  • Ransom payment reports must be filed within 24 hours of making a payment in response to a ransomware attack.
  • Supplemental reports are required when substantial new information becomes available or when an ongoing incident changes materially.
  • Data and records preservation relevant to the incident must be maintained.
  • Reports include incident description, affected systems, observed tactics, and the entity's response.

CIRCIA includes liability protections and limits on how reported information may be used, encouraging candid disclosure.

Penalties for Non-Compliance

If a covered entity fails to report, CISA may issue a request for information and then a subpoena to compel a response. Failure to comply with a subpoena can be referred to the Department of Justice for civil enforcement, and may result in contempt proceedings. Providing false statements carries additional federal penalties. Because the implementing rule is still being finalized, exact enforcement mechanics continue to evolve.

How to Comply

  • Determine whether your organization is a covered entity under CISA's rule.
  • Build incident classification criteria so staff can quickly judge whether the 72-hour clock has started.
  • Create a reporting runbook with designated contacts, evidence-preservation steps, and the CISA reporting channel.
  • Align internal detection, logging, and escalation with the reporting deadlines.
  • Track ransomware decision-making separately, since payments trigger a tighter 24-hour deadline.

Mapping CIRCIA obligations onto an existing incident-response program based on the NIST Cybersecurity Framework usually provides the fastest path to readiness.

Practical Engineering Implications

Meeting CIRCIA's deadlines depends less on legal interpretation than on detection and escalation speed. The 72-hour clock starts from a reasonable belief that a covered incident occurred, so teams need monitoring, logging, and alerting mature enough to recognize a qualifying event quickly. Centralized log aggregation, clear severity thresholds, and a pre-agreed incident-classification matrix let responders decide fast whether reporting is triggered. Tabletop exercises that rehearse the reporting decision, not just the technical response, are among the most effective preparations, because the hardest part under pressure is judgment, not remediation. Organizations should also maintain a current contact and channel for CISA so that reporting is not delayed by administrative friction during a crisis.