Despite the likely 2026 effective date, it is not too early for organizations to consider the steps they will need to take in order to comply with these rules once they take effect. There are new requirements, including for data and record preservation, and setting up appropriate policies and practices are likely to take some time. Moreover, CIRCIA and its implementing regulations represent a dramatic change. CISA has been, until now, primarily engaged in voluntary engagements with the private sector (there are some exceptions, such as the Chemical Facilities Anti-Terrorism Standards program). CIRCIA, however, requires many organizations to share information and engage with CISA.

The following is a summary of the key provisions of the proposed regulations. Much of the following comes directly from the proposed regulations with minor edits for clarity:

“Covered Entities”

The proposed regulations define “covered entities” based on size and critical infrastructure sector-specific criteria. To qualify under the “size standard,” the entity must be (1) in one of the 16 critical infrastructure sectors and (2) must exceed the small business size standard applicable to its North American Industry Classification System Code promulgated by the U.S. Small Business Administration. 

The sector-based criteria are specific to each critical infrastructure sector, requiring an entity to first evaluate which sector it is a part of and then to determine whether it satisfies one or more criteria for its sector. To facilitate this analysis, CISA references the Sector-Specific Plans required of each sector with updates every four years.  Additionally, CISA notes an outreach and education campaign that will provide informational materials to simplify the process of determining whether an entity qualifies as a covered entity. As an example of these criteria, a state, local, tribal, or territorial government entity qualifies as a covered entity under the draft rules if it has a population equal to or greater than 50,000 individuals. A Healthcare and Public Health Sector entity would qualify if it provides one or more of the following essential public health-related services:

• Owns or operates a hospital with 100 or more beds, or a critical access hospital;
• Manufactures drugs listed in appendix A of the Essential Medicines Supply Chain and Manufacturing Resilience Assessment developed pursuant to section 3 of E.O. 14017; or
• Manufactures a Class II or Class III device

“Covered Cyber Incident”

The proposed regulations define a reportable “cyber incident” as an occurrence that actually jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information on an information system or actually jeopardizes, without lawful authority, an information system. To be reportable, the cyber incident must be experienced by a covered entity and it must be “substantial” (described in greater detail below). Importantly, and in contrast to other reporting requirements, the draft regulations apply only to actual occurrences and not to imminent threats. CISA describes its understanding of the term “information system” to include operational technologies, such as industrial control systems and supervisory control and data acquisition systems.

A “substantial cyber incident” is a cyber incident that leads to one or more of the following:

• A substantial loss of confidentiality, integrity or availability of a covered entity’s information system or network;
• A serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
• A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services;
• Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by a:
  • Compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; or
  • Supply chain compromise.

A substantial cyber incident that results in the impacts described in 1-3 above includes any cyber incident regardless of cause, including a compromise of (4)(i)-(ii) or the exploitation of a zero-day vulnerability.  It does not, however, include lawful authorized activity of a U.S., state, local, tribal, or territorial government entity; an event where the cyber incident was perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system (for example, harms caused by a penetration test); or the threat of disruption as extortion.

Conversely, a “ransomware attack” is defined as an occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information on an information system, or that actually or imminently jeopardizes, without lawful authority, an information system that involves, but need not be limited to, the following:

• The use or threat of use of:
  • Unauthorized or malicious code on an information system; or
  • Another digital mechanism such as a denial-of-service attack;
• To interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system; and
• To extort a ransom payment.

Reporting a covered cyber incident

Once the Final Rule is issued and takes effect, covered entities that experience or are experiencing a covered cyber incident will be required to submit a report within 72 hours after the covered entity reasonably believes the covered cyber incident has occurred. A covered entity must also submit a report within 24 hours after making a ransom payment (including payments made by others on its behalf).  Where a covered entity experiences a covered cyber incident and makes a ransom payment related to the incident, the entity will be required to submit a Joint Covered Cyber Incident and Ransom Payment Report within 72 hours. Supplemental reports are also required where substantial new or different information becomes available or the covered entity makes a ransom payment. These supplemental reports are required promptly and, in the event of making a ransom payment, no later than 24 hours after the payment is disbursed.

Covered entities reporting to another federal agency that has an agreement with CISA, called a “CIRCIA agreement,” would be deemed to have satisfied their obligations to report under the draft rules if the entity is required to report to the other federal agency, the required information in its report is substantially similar to what is required to be reported under the draft rules, the report is required in a substantially similar timeframe as a report under CIRCIA, and the other federal agency and CISA have an information sharing mechanism in place. CISA has committed to maintaining an accurate catalog of these agreements accessible on a public-facing website.

The Director of CISA is also permitted to issue a request for information to a covered entity if there is reason to believe that the entity experienced a covered cyber incident or made a ransom payment but failed to report under CIRCIA. The covered entity would be given a deadline, specified by the Director of CISA, which must be complied with. 

Information shared in a report or in response to a request for information by the Director of CISA is afforded certain protections. Namely, information designated as commercial, financial, and proprietary information is treated as such; the reports and responses are exempt from disclosure under the Freedom of Information Act and its corollaries at the state, local, or tribal levels; and do not waive privileges and are not subject to any federal rules or judicial doctrines regarding ex parte communications with a decision-making official. Moreover, federal, state, local, and tribal governments are prohibited from using information obtained solely through a report or response under CIRCIA to regulate, including in an enforcement proceeding, a covered entity except in limited scenarios such as when the report satisfies obligations under CIRCIA and another law that does allow the information to be used for regulatory purposes (for example, reports under the Health Insurance Portability and Accountability Act). The reports and responses are also not subject to discovery and may not be received in evidence or otherwise used in any trial, hearing, or other proceeding before any court, regulatory body, or other authority of the United States, a state, or a political subdivision thereof.

CIRCIA and its draft rules permit the Director of CISA to issue subpoenas where a covered entity either does not respond, or does not appropriately respond, to requests for information. These subpoenas could lead to a civil action being brought by the U.S. Attorney General and sanctions for contempt. Additionally, information shared in response to a subpoena does not qualify for the information protections and restrictions described above.

Data preservation after a covered cyber incident

The proposed rule would also require that the covered entity experiencing a covered cyber incident or who makes a ransom payment would need to preserve related data and records for no less than two years from the submission of the most recently required report under CIRCIA. The preservation requirement begins on the earliest of when the covered entity establishes a reasonable belief that a covered cyber incident occurred or upon which a ransom payment was disbursed.  The preservation requirement applies to the following:

• All correspondence with the threat actor, regardless of the forum or method;
• Indicators of compromise;
• Relevant log entries;
• Relevant forensic artifacts;
• Network data;
• Data and information that may help identify how a threat actor compromised or potentially compromised an information system;
• System information that may help identify exploited vulnerabilities;
• Information about exfiltrated data;
• All data or records related to the disbursement or payment of any ransom payment; and
• Any forensic or other reports concerning the incident, whether internal or prepared for the covered entity by a cybersecurity company or other third-party vendor.

CISA estimates that the reporting obligations will affect between 316,244 to 351,383 entities.  CISA further estimates that after the reporting requirements begin in 2026 and through 2033, between 83,760 to 463,850 reports will be made. In what appears likely to be a low estimate, CISA approximates the total undiscounted cost to industry would be between $1.2 billion and $3.2 billion. When factoring in the cost to the government, the estimates are between $2.2 billion and $4.1 billion.

The estimated costs, as well as the change in engagement style for CISA, represent a significant development for many organizations.  The proposed rules attempt to balance the interests of  U.S. national security and CISA in maintaining strong voluntary relationships with private industry against the value of having a national coordinator for critical infrastructure security and resilience with significantly more insight into cybersecurity trends. How this attempt at balance fares is yet to be determined, but organizations should consider what the proposed rules will mean for them, provide comment to inform the Final Rules, and begin preparing to comply with the rules once they take effect.