The Cybersecurity and Infrastructure Security Agency (“CISA”) will be hosting a series of upcoming virtual town hall meetings related to its rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”). As a reminder, forthcoming regulations under CIRCIA will impose a 72-hour reporting requirement for covered critical infrastructure entities to notify the government of certain qualifying cyber incidents (we wrote about the proposed rule in detail here). Once finalized, these rules will have significant compliance implications for many government contractors and subcontractors, particularly those operating in the defense and information technology sectors.
The town hall sessions are designed to provide industry stakeholders with a direct opportunity to offer feedback on the proposed cyber incident reporting requirements. Specifically, CISA requests input on how the rule “may impact regulated entities” and “specific improvements, including how such suggestions would increase the benefit of CIRCIA to critical infrastructure owners and operators.” Key issues raised in comments on the proposed rule include refining the scope of companies considered covered entities, eliminating duplicative reporting obligations, and clarifying the definition of a “substantial” cyber incident that will trigger the reporting requirement.
Town Hall Schedule and Targeted Sectors
CISA has scheduled two general town halls as well as several sector-specific sessions. See below for the schedule:
- General Town Halls:
- March 31, 2026
- April 2, 2026
- Sector-Specific Town Halls:
- March 9, 2026 – Chemical Sector; Water and Wastewater Sector; Dams Sector; Energy Sector; and Nuclear Reactors, Materials, and Waste Sector
- March 12, 2026 – Commercial Facilities Sector; Critical Manufacturing Sector; and Food and Agriculture Sector
- March 17, 2026 – Emergency Services Sector, Government Facilities Sector, Healthcare and Public Health Sector
- March 18, 2026 – Communications Sector; Transportation Systems Sector; and Financial Services Sector
- March 19, 2026 – Defense Industrial Base Sector and Information Technology Sector
These sector-focused sessions are intended to address unique operational and compliance concerns and may provide insight into considerations across industries.
Registration and Participation
All town halls will be conducted virtually, and advance registration is required. Interested participants must register through the CISA website. Registration must be completed no later than 5:00 p.m. ET two business days prior to each meeting.
Next Steps
Organizations that may qualify as “covered entities” under CIRCIA should closely monitor these proceedings and consider participating in the relevant town halls. Early engagement may help inform the final regulatory framework and reduce uncertainty once compliance becomes mandatory.
Sheppard’s Governmental Cybersecurity and Data Protection team is continuing to track developments in the CIRCIA rulemaking process and will continue to provide updates as they become available.
