WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) today announced a series of virtual town hall meetings to gather stakeholder input on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) rulemaking. The town hall meetings are scheduled to begin March 9, with the full schedule available in the Federal Register. Any changes or updates will be available on www.cisa.gov/circia.
“Implementing CIRCIA will significantly enhance our ability to assist victims of cyber incidents, identify emerging threats, and rapidly share actionable information to protect others,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen. “Stakeholder input is critical as we finalize this rule to strengthen our collective defense. CISA is committed to delivering a framework that appropriately balances its impact on improving our nation’s cybersecurity posture with avoiding unnecessary burden to entities in critical infrastructure sectors.”
CIRCIA is a U.S. law that will help the government quickly respond to cyber threats and share information to protect critical infrastructure. Once the final rule is implemented, covered organizations will be required to report certain cyber incidents to CISA within 72 hours and ransom payments within 24 hours.
CISA has received numerous requests for additional engagement on the CIRCIA rulemaking process and greatly values its stakeholders’ interest in shaping a final rule that maximizes CIRCIA’s impact on our nation’s cybersecurity posture while minimizing unnecessary burden. Given the broad stakeholder community that CIRCIA may potentially impact, CISA will conduct a series of town hall meetings to solicit input on the Notice of Proposed Rulemaking (NPRM). CISA selected this approach to gather additional engagement on the CIRCIA NPRM to provide access to CISA across the broad range of entities within the critical infrastructure sectors.
CISA issued the CIRCIA NPRM in April 2024. To inform the CIRCIA NPRM, CISA hosted in-person public listening sessions across the country, conducted virtual sector-specific sessions, and engaged with Sector Risk Management Agencies (SRMAs) and other federal partners—all aimed at gathering meaningful input from a broad range of stakeholders. The NPRM was open for a 90-day public comment period. As implementation moves forward, CISA believes additional stakeholder engagement will be critical to developing a rule that strikes an appropriate balance of costs and benefits.
Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.