The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) directed CISA to publish a final rule mandating that covered entities report covered cyber incidents within 72 hours and ransom payments within 24 hours. The Notice of Proposed Rulemaking dropped on April 4, 2024 with an 18-month statutory deadline for finalization. That deadline slipped: CISA's Spring 2025 Unified Agenda moved the final rule to May 2026, citing the volume of comments received, the need to harmonize with other federal cyber-reporting frameworks, and disruption from a federal appropriations lapse. With finalization now imminent, security and compliance teams need to understand who is in scope, what triggers reporting, and how the timers interact with SEC, HIPAA, and state notification regimes already in effect.
Who counts as a covered entity?
The proposed rule applies a dual-track test. Track one is a sector-plus-size test: an entity that operates in one of the 16 critical infrastructure sectors defined in Presidential Policy Directive 21 is covered if it exceeds the Small Business Administration's size standard for its primary NAICS code. Those size standards vary by industry, generally ranging from about 100 to 1,500 employees or roughly $2.25 million to $47 million in annual revenue. Track two is a list of sector-specific criteria that capture entities regardless of size where their disruption would pose outsized risk to public safety, the economy, or national security. CISA's preliminary regulatory impact analysis estimated more than 316,000 entities would fall within scope across the 16 sectors. The final rule may narrow that figure, but it will not collapse it; most software vendors, cloud providers, healthcare entities, financial institutions, water utilities, and energy companies above small-business thresholds should expect to be covered.
What is a covered cyber incident?
The proposed definition centers on substantial impact, not on technical classification. An incident is covered if it leads to substantial loss of confidentiality, integrity, or availability of an information system; serious impact on safety or resiliency of operational systems and processes; disruption of business or industrial operations including denial of service or extortion; or unauthorized access facilitated through or caused by a compromise of a cloud service provider, managed service provider, or other third party. The definition deliberately captures supply chain incidents that originate at a vendor — a key alignment with EO 14144 and the SEC's reading of Item 1.05. Routine, non-substantial events do not require reporting. Reportable events specifically exclude lawful intrusion by U.S. or foreign government authorities under legal process and exclude good-faith security research.
How do the 72-hour and 24-hour clocks work?
A covered entity must submit a Covered Cyber Incident Report to CISA within 72 hours after it "reasonably believes" a covered cyber incident has occurred. That standard is deliberately lower than the SEC's materiality determination, so the CIRCIA clock will frequently start before any 8-K analysis even begins. Ransom Payment Reports are due within 24 hours of payment, regardless of whether the underlying incident is otherwise reportable. Supplemental reports are required when substantial new or different information becomes available — for example, when forensic work identifies an additional impacted system or a new data category. CISA preserves the original report and treats the supplemental as a layered update rather than a replacement. Reports are submitted through a CISA-hosted web form (with API options anticipated in the final rule) and are subject to statutory confidentiality and liability protections under CIRCIA Section 2244.
How does CIRCIA stack with SEC, HIPAA, and state regimes?
This is the harmonization problem that drove much of the comment volume. A public-company hospital system that takes a ransom payment would face: a 24-hour CIRCIA Ransom Payment Report, a 72-hour CIRCIA Covered Cyber Incident Report, an SEC Item 1.05 8-K within four business days of materiality determination, HIPAA Breach Notification Rule timelines (no later than 60 calendar days), and a patchwork of state attorney general and resident notifications often triggered by date-of-discovery. CISA has indicated that the final rule will accept "substantially similar" reports filed to certain other federal regulators in lieu of a separate CIRCIA filing, with the agency receiving the report responsible for sharing it with CISA. The list of substantially-similar regimes is one of the most-watched portions of the rulemaking. Until that list is locked, covered entities should plan to file CIRCIA reports directly even when overlapping reports go to other agencies.
# CIRCIA timer playbook for a multi-regulated organization
T+0 Detect potential incident; activate IR plan
T+24h If ransom paid in this window → CIRCIA Ransom Payment Report
T+72h If "reasonable belief" of covered cyber incident → CIRCIA Covered
Cyber Incident Report
T+4bd SEC Item 1.05 (public companies) if materiality determined
T+60d HIPAA Breach Notification (covered entities and business associates)
Ongoing CIRCIA supplemental reports as facts change
State AG notifications per applicable state laws
What records does a covered entity have to keep?
Two years of supporting records, per the proposed rule. That includes communications with the threat actor, indicators of compromise, forensic reports, system and network logs that document the incident, identification of the personnel involved in the report, and copies of all submitted reports and supplements. Records must be in a format that can be made available to CISA on request. For most organizations, the practical implication is that the existing IR retention policy needs review: many SIEM and EDR retention windows are shorter than 24 months, which would put a covered entity out of compliance even if its underlying response was sound. Tabletop exercises should now include the CIRCIA evidence question explicitly, with a designated records custodian and a chain-of-custody process.
What should covered entities do before the final rule lands?
Five practical steps. First, complete a covered-entity self-assessment using the dual-track test against current NAICS codes and sector membership; document the conclusion either way. Second, identify the senior official accountable for CIRCIA filings and add their contact details to incident playbooks. Third, integrate the 24-hour and 72-hour timers into existing incident severity rubrics so the on-call team can fire the clock without an executive escalation. Fourth, map current vendor contracts for cloud, managed services, and software suppliers against the third-party-compromise prong of the covered-incident definition and add notification-cooperation clauses. Fifth, extend log and forensic-evidence retention to at least 24 months for systems likely to be implicated in a covered incident.
How Safeguard Helps
Safeguard ingests SBOMs, manifests, and runtime telemetry to maintain a continuous inventory of components that could be implicated in a covered cyber incident — the foundational evidence CISA will expect to see during a CIRCIA supplemental report. Griffin AI correlates new advisories, KEV entries, and VEX statements against your active inventory so the 72-hour clock starts with a defensible reachability picture, not a from-scratch investigation. TPRM workflows track vendor compliance with Secure by Design and other notification commitments, surfacing suppliers whose silence during an incident would leave you reporting blind. Policy gates and evidence packs can also produce CIRCIA-ready exports that align with the proposed two-year recordkeeping requirement, so compliance teams can answer CISA's records request without rebuilding the incident timeline from scratch.