On February 13, CISA published a Federal Register notice announcing seven virtual town halls to gather final stakeholder input on the Cyber Incident Reporting for Critical Infrastructure Act. The sessions run March 9 through April 2, covering all 16 critical infrastructure sectors. After that, CISA plans to finalize the rule, with a final version expected around mid-2026, though the timeline may slip.
When it takes effect, roughly 316,000 companies will be required to report cyber incidents to the federal government within 72 hours. Ransomware payments get a 24-hour window. And the penalties for blowing the deadline aren't just fines. They're criminal.
If your company operates in financial services, healthcare, energy, telecom, IT, manufacturing, or defense contracting, and you're above the Small Business Administration's size thresholds, this rule almost certainly covers you. The town halls are the last real window to influence what the final version looks like.
What's actually in the rule
The reporting mandate
CIRCIA became law in March 2022 when President Biden signed the Consolidated Appropriations Act, 2022. The statute told CISA to write the implementing regulations, which is what's happening now.
CISA published a 447-page proposed rule in April 2024. Here's what it requires:
A covered entity that experiences a "covered cyber incident" must report it to CISA within 72 hours of forming a reasonable belief that the incident occurred. Ransomware payments must be reported within 24 hours. Both clocks start from the moment of reasonable belief, not from confirmation or full investigation.
That distinction matters. You don't get to run a two-week forensic investigation before deciding whether to pick up the phone.
Under 6 U.S.C. § 681 et seq., a "covered cyber incident" includes events causing substantial loss of confidentiality, integrity, or availability; serious impact on the safety or resiliency of operational systems; disruption of business operations; or unauthorized access through a supply chain or third-party compromise.
That last category deserves a pause. If your managed service provider gets breached and the attackers use that access to reach your systems, that's a reportable incident for you. The obligation follows the impact, not just the origin.
Who's covered (and who isn't)
CISA estimates approximately 316,244 entities will be covered. The rule uses two tests.
Size-based: if your company exceeds the SBA small business size standards for your industry, you're in. These thresholds vary by NAICS code. Depending on your sector, the cutoff might be 100 employees or 1,500, or annual revenue anywhere from $2.5 million to $47 million. Most mid-market and enterprise companies clear these thresholds easily.
Sector-based: even if you're below SBA thresholds, you're covered if you meet sector-specific criteria. IT hardware and software companies are covered regardless of size. Same for operators of certain energy, water, and communications infrastructure.
Here's the part that catches people off guard. CISA interprets "entity" to include "any person, partnership, business, association, corporation, or other organization." That language is deliberately wide. SaaS vendors serving healthcare systems, cloud providers hosting financial data, logistics platforms managing supply chains, none of these companies think of themselves as critical infrastructure. Under this rule, they might be.
The penalties have teeth
This is where CIRCIA breaks from most cybersecurity frameworks.
CISA can issue subpoenas to compel information from entities that don't report. Knowingly making false or fraudulent statements carries fines and up to five years imprisonment under 18 U.S.C. § 1001. If the false statement relates to terrorism, that jumps to eight years. CISA can refer subpoena enforcement to the DOJ, which can pursue contempt of court.
The estimated total cost to industry: $2.6 billion over 11 years, with $1.4 billion in direct reporting costs.
These aren't hypothetical enforcement tools. CISA has been direct about why the subpoena authority exists: voluntary reporting hasn't given the government enough visibility into what's actually happening across critical infrastructure networks. So now they're requiring it.
Why this matters now
The town halls are your last input window
CISA's February 13 announcement is clear: this isn't a reopening of the formal comment period. It's a "limited additional opportunity" for input. The sessions are structured by sector:
- Chemical, Water, Energy, Nuclear: March 9
- Manufacturing, Food and Agriculture: March 12
- Healthcare, Emergency Services, Government: March 17
- Telecom, Transportation, Financial Services: March 18
- Defense Industrial Base, Information Technology: March 19
- General sessions: March 31 and April 2
Each session runs two hours. Written materials must be submitted within seven calendar days after the session. CISA will publish transcripts in the rulemaking docket.
The agency wants feedback on three specific areas: whether size-based criteria should remain the primary coverage trigger, whether the content requirements for incident reports are too heavy, and how the subpoena process should work for entities that fail to report.
If your company is likely covered, this is when to speak up. After the town halls close, your next chance to object is federal court.
From voluntary to mandatory
Some context that helps explain what's happening here. The Cybersecurity Information Sharing Act of 2015 created a voluntary framework. Companies could share threat data with the federal government and get liability protections in return. Congress just extended that law through September 30, 2026, as part of this year's Consolidated Appropriations Act.
CIRCIA replaces the carrot with a stick. Instead of offering liability protections for sharing, it mandates reporting with criminal penalties for not sharing. The underlying conclusion from Congress is blunt: asking nicely didn't work.
That creates an uncomfortable compliance gap for companies that have been voluntarily sharing under the 2015 law. You're ahead of the curve, yes. But your processes almost certainly don't meet CIRCIA's requirements. Voluntary sharing is best-effort. CIRCIA has specific content requirements, rigid timelines, and legal consequences for getting it wrong.
How this shows up in your deals
If you're raising capital, acquiring companies, or negotiating enterprise contracts, CIRCIA is going to show up in your paperwork.
Cyber insurance underwriters will want to know if you're a covered entity, whether your incident response plan accounts for CIRCIA timelines, and whether you've named a reporting contact. Expect premiums to adjust as insurers price in the new compliance layer.
M&A diligence is expanding. Buyers will want CIRCIA readiness assessments for targets in covered sectors. The question during diligence isn't just "have you been breached?" It's "can you report a breach within 72 hours, and do you have the internal processes to actually do it?"
Vendor agreements need work too. If your MSP or cloud provider is the entry point for a cyber incident that reaches your systems, you're the one with the reporting obligation. Your contracts need notification timelines that give you enough runway to meet the 72-hour clock. A vendor that takes 48 hours to tell you about a breach leaves you 24 hours to investigate, assess, and file. That's not enough.
And board directors should be asking about CIRCIA readiness at the next committee meeting. The criminal penalties create a governance issue that goes well beyond the CISO's desk. If your CISO can't brief the board on CIRCIA readiness today, that's a gap worth closing.
What it means: our analysis
Our read: CIRCIA is the most significant federal cybersecurity regulation since the SEC's cyber disclosure rules took effect in December 2023. But it goes further in ways that should make general counsel uncomfortable.
The SEC rules require public companies to disclose material incidents to investors. CIRCIA requires a much broader set of entities, including private companies, to report incidents to a federal agency with law enforcement connections. The 72-hour timeline is aggressive. And "reasonable belief" as the trigger means you can't stall by claiming you were still investigating.
One counterpoint worth sitting with: CISA has said it wants to "reduce the scope and burden" of the final rule compared to the proposed version. The Trump administration delayed the rule from its original October 2025 deadline to May 2026 specifically to address industry pushback. The town halls are part of that. There's a real chance the final rule narrows the covered entity definition or loosens the initial report content requirements.
But hoping for a narrower final rule is a risky compliance strategy. Congress told CISA to build this reporting regime. That statutory mandate isn't going away. The only question is the details of implementation.
One more thing worth flagging: CIRCIA's reporting data will flow to federal law enforcement and intelligence agencies. Companies with international operations or sensitive government contracts should care about what happens to that data after it's filed. CISA has said it will protect reported information from use in enforcement actions against the reporting entity. But the specifics of those protections in the final rule matter enormously, and they're not settled yet.
Practical takeaways
1. Check your NAICS code against SBA size standards this week. If you exceed the threshold in any of the 16 critical infrastructure sectors, assume you're covered. The SBA size standards table is public. Don't wait for CISA to send you a letter.
2. Register for your sector's town hall session. Details are in the Federal Register notice. If you have concerns about scope, report content, or the subpoena process, prepare written comments and submit them within seven days of the session.
3. Audit your incident response plan for CIRCIA compatibility. Your current plan probably doesn't include a 72-hour federal reporting trigger. Map the full detection-to-reporting chain. Where are the bottlenecks? Can your team realistically form a "reasonable belief" and file within three days?
4. Review vendor and MSP contracts for notification timelines. If a third-party breach triggers your CIRCIA obligation, your agreements need to guarantee notification fast enough for you to hit the 72-hour window. Build in 24-hour vendor notification requirements at minimum.
5. Brief your board or audit committee. Criminal penalties make this a governance issue. Your directors need to understand the reporting obligations, the timeline, and the personal exposure that comes with filing inaccurate reports.
6. Designate a CIRCIA reporting contact and build the workflow now. The rule will require specific content in every report. Figure out who files, what data they need, and how they'll collect it within 72 hours during a live incident. This isn't something you want to improvise.
7. Coordinate with outside counsel on privilege. Incident investigation communications may be discoverable. Structure your reporting process to preserve attorney-client privilege where you can. Getting this wrong after the fact is expensive.
8. Map CIRCIA against your other reporting obligations. If you're also subject to SEC cyber disclosure rules, state breach notification laws, HIPAA, or NYDFS Part 500, you need a unified framework that hits all the deadlines without contradictions.
What we're watching
CIRCIA town halls, March 9 through April 2: The sector-specific sessions will surface industry's biggest concerns and may signal where CISA will bend on scope. The Defense/IT session on March 19 will be telling for tech companies.
CIRCIA final rule, expected May 2026 but likely to slip: The six-month delay from October 2025 already reflects heavy pushback. If the town halls generate new concerns, the timeline moves again.
CISA 2015 expiration, September 30, 2026: The voluntary sharing framework dies unless Congress acts. If CIRCIA's final rule isn't live by then, there's a gap in federal cyber information-sharing. Nobody wants that gap, but it's possible.
NIS2 enforcement, April 18, 2026: Companies with EU operations face a parallel mandatory reporting regime. Build one unified framework now instead of doing it twice.
NYDFS Part 500 certification, April 15, 2026: Financial services companies hit the annual cybersecurity certification deadline, with heightened MFA enforcement expected this cycle.
The voluntary era of federal cybersecurity reporting is ending. CIRCIA moves the government's posture from "please share" to "you must report, and here are the consequences if you don't." The town halls are the last stop before that shift becomes final. Whether you show up to shape the rule or wait to comply with whatever comes out, the 72-hour clock is coming. Start building the processes now.