On September 19, 2025, CISA updated its Unified Agenda entry (RIN 1670-AA04) to confirm what trade groups had spent six months urging: the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) final rule will not publish in October 2025 as the statute originally contemplated. The new target is May 2026. The slip is not a softening of obligations but a recognition that the April 4, 2024 Notice of Proposed Rulemaking (NPRM) drew more than 24,000 public comments and that CISA must reconcile its 72-hour incident clock with at least 52 other federal cyber reporting regimes already on the books. For covered entities, the practical effect is roughly nine additional months to operationalize processes that were always going to be hard.
What did the NPRM actually propose?
The April 2024 NPRM, published at 89 FR 23644, requires "covered entities" to report a "covered cyber incident" to CISA within 72 hours of reasonable belief that the incident occurred, and to report ransom payments within 24 hours of payment. The agency estimated 316,244 covered entities across 16 critical infrastructure sectors, generating roughly 25,000 incident reports and 4,500 ransom payment reports annually. Covered cyber incidents include substantial loss of confidentiality, integrity, or availability of an information system; serious impact on safety and resiliency of operational systems; disruption of business or industrial operations; and unauthorized access via supply chain compromise or third-party service provider.
Who is actually covered?
The NPRM uses both size-based and sector-based criteria. Any entity in a critical infrastructure sector that exceeds the SBA small business size standard is covered. Below that threshold, an entity is still covered if it meets one of fourteen sector-specific criteria — for example, owning industrial control systems regulated under TSA's pipeline security directives, operating a hospital with 100 or more beds, being a registered investment adviser with assets under management above $1.5 billion, or holding a defense contract subject to DFARS 252.204-7012. The breadth is the point of contention: software vendors selling to any covered entity become covered themselves if they meet the size threshold.
What information must reports contain?
The proposed rule specifies ten data elements per incident report, including a description of the affected systems and networks, the vulnerabilities exploited, the actor's tactics where known, the impact assessment, mitigation steps taken, indicators of compromise, and contact information for the reporting entity. CISA proposed that the format follow a structured web form rather than free-text email. Supplemental reports are required when "substantial new or different information" becomes available, until the entity notifies CISA that the incident is resolved.
# Proposed CIRCIA covered cyber incident report data elements (89 FR 23644)
report:
entity:
name: string
sector: enum # 16 CI sectors
point_of_contact: object
incident:
discovery_timestamp: ISO-8601
description: text
affected_systems: [array]
impacted_data_categories: [array]
tactics_techniques_procedures: [MITRE ATT&CK IDs]
indicators_of_compromise: [array]
mitigation_actions: text
attribution:
actor_known: boolean
attribution_evidence: text
Why is harmonization the gating issue?
The DHS Cyber Incident Reporting Council's September 2023 report identified 52 distinct federal cyber incident reporting requirements with conflicting timelines, thresholds, and recipients. SEC Item 1.05 of Form 8-K requires public companies to disclose material incidents within four business days. TSA Pipeline Security Directive 2021-02F requires reporting to CISA within 12 hours and to TSA within 24. The FCC's CPNI breach rule requires reporting within seven business days. The HHS HIPAA Breach Notification Rule allows 60 days. CIRCIA's enabling statute requires CISA to "do everything practicable" to avoid duplication, which is why the May 2026 timeline is being used to finalize substantially expanded harmonization provisions.
What should covered entities do in the meantime?
Treat the May 2026 final rule as a planning constant, not a hope of further delay. The statute (6 U.S.C. § 681b) gives CISA no further extension authority beyond what it has already taken. Build the incident determination workflow now: who decides whether an event is a "covered cyber incident," who authors the report, and who signs it. Run tabletop exercises against the 72-hour clock, including supply chain compromise scenarios where the affected system is operated by a vendor. Inventory whether your subcontractors and SaaS vendors are also covered entities, because the NPRM does not relieve the prime of its own reporting obligation when an upstream vendor reports. Pre-stage the data elements in your incident response platform so that producing a CIRCIA report does not require a fresh forensic dig at hour 70.
How does CIRCIA interact with the SEC and DoD regimes?
Public companies subject to Item 1.05 of Form 8-K will likely file CIRCIA reports earlier than SEC disclosures, because CIRCIA's 72-hour clock starts at reasonable belief while Item 1.05 starts at materiality determination. The NPRM proposes that CIRCIA submissions are not "disclosure" under SEC rules and are protected from FOIA under 6 U.S.C. § 681e. For DoD contractors, DFARS 252.204-7012 already requires reporting cyber incidents affecting Covered Defense Information within 72 hours via DIBNet. The CIRCIA NPRM proposes a "substantially similar reporting" exception that may permit one report to satisfy both regimes, but only if DoD and CISA execute an information-sharing agreement before the rule is final. As of the September 2025 agenda update, that agreement has not been published.
How Safeguard Helps
Safeguard captures the data points a CIRCIA report requires the moment an incident is detected: affected systems, exploited vulnerabilities with CVE references, components from the SBOM, third-party services touched, and MITRE ATT&CK technique mapping. Griffin AI generates the structured report payload in the proposed CIRCIA schema and a parallel DIBNet-compatible JSON for dual filers, eliminating the hour-70 scramble. Policy gates flag deployments that lack incident reporting playbooks, and continuous TPRM scoring identifies which upstream SaaS vendors fall under CIRCIA's covered entity definition so that flow-down notification obligations are visible before the 72-hour clock starts. Audit trails of every detection, decision, and report are preserved in a tamper-evident log to satisfy the NPRM's record retention proposal of two years.