The bottom line: Starting today, CISA is holding virtual town halls to gather feedback on the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). If you run critical infrastructure (water, energy, healthcare, finance, transportation) you'll soon be required to report cyberattacks to the feds within 72 hours. Pay a ransom? You've got 24 hours. The final rule drops in May.

What CIRCIA Requires

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is finally becoming reality. Once the rule goes final, "covered entities" in critical infrastructure sectors must [1]:

  • Report cyber incidents within 72 hours of discovering a "substantial" attack on their systems
  • Report ransom payments within 24 hours, even if the payment isn't connected to a reportable incident
  • Submit to CISA: not the FBI, not sector regulators, but the Cybersecurity and Infrastructure Security Agency directly

CISA issued its proposed rule in April 2024. After two years of comment periods and industry pushback, they're making one last push for stakeholder input before finalizing the regulation in May 2026.

Town Hall Schedule

CISA split the town halls by sector. Each session runs about two hours. Here's when your industry gets its turn [2]:

Date Sectors
March 9, 2026 Chemical, Water/Wastewater, Dams, Energy, Nuclear
March 12, 2026 Commercial Facilities, Critical Manufacturing, Food/Agriculture
March 17, 2026 Emergency Services, Government Facilities, Healthcare/Public Health
March 18, 2026 Communications, Transportation, Financial Services
March 19, 2026 Defense Industrial Base, Information Technology
March 31 & April 2, 2026 General sessions (all sectors)

Registration closes 5:00 PM ET two business days before each meeting. Sign up at cisa.gov/circia.

What CISA Wants to Hear

The comment period is technically closed, but CISA is still accepting feedback through these town halls. According to their notice, they're looking for [3]:

  • Real-world impact examples: How would the proposed rule affect your incident response procedures?
  • Duplicate reporting concerns: Many industries already report to sector regulators. CISA wants to hear about overlap.
  • "Substantial incident" definitions: What actually qualifies as a reportable event? The rule is vague.
  • Covered entity scope: Who exactly has to comply? Small utilities? Third-party vendors?

You can also submit written materials within seven days of attending by emailing CISA directly.

Why This Matters

CIRCIA represents the biggest expansion of federal cyber incident reporting requirements ever. And it cuts both ways.

The upside

Right now, most breaches stay hidden. Companies quietly pay ransoms, patch holes, and pray no one notices. The Conduent breach affected 25 million Americans, and the company spent three months downplaying the scope while attackers exfiltrated 8TB of data.

Mandatory reporting forces disclosure. CISA gets real-time visibility into attacks. Patterns emerge. Shared threat intelligence improves defenses across sectors.

The downside

Every report to CISA is information the government collects. And CISA shares threat data with other agencies, including the FBI. For companies, that means federal scrutiny of their security practices. For individuals whose data got stolen, it means the government knows about breaches that might never have been disclosed.

The 72-hour window is aggressive. Incident response teams are often still in triage mode at that point, figuring out what happened, not writing government reports. Healthcare providers dealing with ransomware attacks might be focused on keeping patients alive, not filing paperwork.

The Bigger Picture

These town halls come at a chaotic time for CISA. The agency faced partial shutdown in February as DHS dealt with budget chaos. Critical vulnerability alerts stopped. Threat feeds went dark.

And the FBI's wiretap system just got hacked, by someone using sophisticated techniques to exploit a commercial vendor. If federal agencies can't protect their own surveillance infrastructure, questions arise about whether they're equipped to process sensitive breach data from thousands of private companies.

CIRCIA also intersects with the broader surveillance picture. CISA is part of DHS, the same department running ICE's $85 billion surveillance apparatus. The same department whose immigration agents have been using facial recognition on teenagers.

None of that means CIRCIA is bad policy. But it's worth understanding who gets this data and what they might do with it.

What Happens Next

  • May 2026: CISA publishes the final rule
  • Implementation period: Covered entities will have time to build compliance programs
  • Enforcement begins: Timeline still unclear, but expect 2027

If you work in critical infrastructure and have opinions about mandatory breach reporting, the next two weeks are your last chance to be heard. After that, the rule is what it is.

Sources

  1. CISA - Announces New Town Halls on CIRCIA
  2. National Law Review - CISA Town Hall Schedule
  3. Mayer Brown - CIRCIA Implementation Input

Published: March 9, 2026