CIRCIA Final Rule Expected May 2026: Critical Infrastructure Faces Mandatory 72-Hour Incident and 24-Hour Ransomware Payment Reporting

The cybersecurity landscape for U.S. critical infrastructure is about to transform dramatically. The Cybersecurity and Infrastructure Security Agency (CISA) is expected to publish the final rule implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in May 2026, creating the first comprehensive federal cyber incident reporting mandate spanning 16 critical infrastructure sectors. Organizations across energy, healthcare, financial services, transportation, and other essential industries will face strict requirements to report significant cyber incidents within 72 hours and ransomware payments within 24 hours—or face substantial penalties.

Executive Summary

CIRCIA, signed into law on March 15, 2022, represents Congress's most significant effort to address the fragmented, inconsistent, and often voluntary nature of cybersecurity incident reporting across critical infrastructure. The law mandates that covered entities report two types of events to CISA:

1. Covered cyber incidents (substantial disruptions or unauthorized access): 72-hour reporting requirement
2. Ransomware payments: 24-hour reporting requirement

The May 2026 final rule will transform CIRCIA from statutory framework to operational reality, defining precisely:

• Which organizations are covered
• What constitutes a "covered cyber incident" requiring reporting
• Technical details of the reporting process
• Exemptions and exceptions
• Enforcement mechanisms and penalties
• Interaction with existing sector-specific reporting requirements

Key implications include:

• Expanded coverage: Unlike sector-specific regimes, CIRCIA applies across 16 critical infrastructure categories
• Aggressive timelines: 72-hour and 24-hour requirements are among the shortest reporting windows in cybersecurity regulation
• Ransomware transparency: Mandatory disclosure of ransom payments creates unprecedented visibility into ransomware economics
• Federal consolidation: "Report once, share many" approach aims to reduce duplicative reporting across federal agencies
• Preemption questions: Interaction with state breach notification laws and sector-specific requirements remains complex
• Operational burden: Organizations must implement detection, assessment, and reporting capabilities sufficient to meet tight deadlines

The final rule will mark a watershed moment in U.S. cybersecurity governance, fundamentally altering how critical infrastructure entities detect, assess, respond to, and report cyber incidents.

Legislative Background: Why CIRCIA Was Necessary

The Problem CIRCIA Addresses

Fragmented Reporting Landscape
Before CIRCIA, cyber incident reporting for critical infrastructure was characterized by:

Voluntary Frameworks:

• National Institute of Standards and Technology (NIST) Cybersecurity Framework guidance
• CISA's voluntary reporting through cybersecurity advisories
• Industry Information Sharing and Analysis Centers (ISACs)
• Sector-specific voluntary programs

Sector-Specific Mandates:

• Banking: Bank Secrecy Act, FFIEC guidance
• Healthcare: HIPAA breach notification (60 days for breaches affecting 500+ individuals)
• Securities: SEC incident disclosure rules
• Energy: DOE emergency reporting
• Transportation Security Administration: Pipeline and aviation security incident reporting

State Breach Notification Laws:

• 50+ different state breach notification regimes
• Varying definitions of "breach" and "personal information"
• Different notification timelines (often 30-60 days)
• Focus on consumer notification rather than government reporting

Result:

• Incomplete federal visibility into cyber threats facing critical infrastructure
• Inconsistent threat information sharing across sectors
• Delayed federal response to emerging threats
• Duplicative reporting burdens on multi-sector organizations
• Gaps in understanding of adversary tactics, techniques, and procedures (TTPs)

High-Profile Incidents Driving Change

Several incidents demonstrated the inadequacy of voluntary reporting:

Colonial Pipeline (May 2021)

• Ransomware attack shut down 5,500-mile fuel pipeline
• Gasoline shortages and panic buying across East Coast
• Company paid $4.4 million ransom (later partially recovered by FBI)
• Federal government learned of attack primarily through media reports and company outreach
• Highlighted lack of mandatory reporting for critical infrastructure cyber incidents

SolarWinds Supply Chain Attack (Discovered December 2020)

• Russian SVR compromised software update mechanism
• Affected multiple federal agencies and Fortune 500 companies
• Months-long dwell time before detection
• Inadequate information sharing delayed threat detection across victims

JBS Foods (May 2021)

• World's largest meat processor hit by ransomware
• Temporary shutdown of beef processing plants
• Company paid $11 million ransom
• Food supply chain vulnerability exposed

Kaseya Supply Chain Attack (July 2021)

• REvil ransomware group compromised managed service provider software
• Affected ~1,500 downstream businesses
• Demonstrated cascading impact of supply chain attacks

These incidents revealed a disturbing pattern: federal authorities often learned of critical infrastructure cyber incidents from media coverage rather than direct reporting from affected entities.

Congressional Response: CIRCIA

Recognizing the inadequacy of voluntary reporting, Congress included CIRCIA in the Consolidated Appropriations Act of 2022, signed into law March 15, 2022.

Key Legislative Provisions:

Section 2242: Covered Cyber Incident and Ransomware Payment Reporting

• Mandates reporting of covered cyber incidents within 72 hours
• Requires reporting of ransomware payments within 24 hours
• Directs CISA to develop implementing regulations
• Provides 24-month rulemaking timeline

Section 2243: Cyber Incident Reporting Council

• Establishes interagency coordination body
• Harmonizes federal cyber incident reporting requirements
• Reduces duplicative reporting burdens

Section 2244: Ransomware Vulnerability Warning Pilot Program

• CISA program to warn entities of ransomware vulnerabilities
• Proactive threat mitigation approach

Section 2245: Cybersecurity State Coordinator

• CISA to designate coordinators in each state
• Facilitate state-federal coordination on cyber incidents

The May 2026 Final Rule: What to Expect

Timeline to Final Rule

March 15, 2022: CIRCIA enacted
March 15, 2024: Statutory deadline for final rule (24 months after enactment)
Actual Status: Rulemaking delayed beyond statutory deadline
Expected Publication: May 2026 (approximately 49 months after enactment)

Reasons for Delay:

• Complexity of defining "covered entities" across 16 sectors
• Balancing prescriptive requirements with operational flexibility
• Addressing concerns about competitive harm from disclosure
• Coordinating with existing sector-specific reporting regimes
• Extensive stakeholder input and comment review
• Administration changes and policy shifts

Covered Entities: The 16 Critical Infrastructure Sectors

CIRCIA applies to entities operating in the 16 critical infrastructure sectors identified in Presidential Policy Directive 21 (PPD-21):

1. Chemical Sector
   • Chemical manufacturing facilities
   • Chemical distribution networks
   • Hazardous materials handling
2. Commercial Facilities Sector
   • Shopping centers and retail
   • Lodging (hotels, resorts)
   • Entertainment venues
   • Sports complexes
   • Public assembly spaces
3. Communications Sector
   • Telecommunications providers
   • Internet service providers
   • Broadcast media
   • Data centers
4. Critical Manufacturing Sector
   • Primary metals manufacturing
   • Machinery manufacturing
   • Electrical equipment production
   • Transportation equipment manufacturing
5. Dams Sector
   • Hydroelectric power dams
   • Water retention and control systems
   • Flood control infrastructure
6. Defense Industrial Base Sector
   • Defense contractors
   • Weapons systems manufacturers
   • Military support services
7. Emergency Services Sector
   • Law enforcement agencies
   • Fire and rescue services
   • Emergency medical services
   • Emergency management agencies
8. Energy Sector
   • Electric power generation, transmission, distribution
   • Oil and natural gas production and refinement
   • Petroleum pipelines
   • Renewable energy facilities
9. Financial Services Sector
   • Banks and credit unions
   • Securities firms
   • Insurance companies
   • Payment systems
10. Food and Agriculture Sector
    • Food production and processing
    • Agricultural production
    • Food distribution networks
    • Restaurants (large-scale/critical)
11. Government Facilities Sector
    • Federal, state, local government buildings
    • Courthouses
    • National monuments
    • Military installations
12. Healthcare and Public Health Sector
    • Hospitals and medical centers
    • Pharmaceutical manufacturers
    • Medical device companies
    • Public health laboratories
13. Information Technology Sector
    • Software companies
    • Hardware manufacturers
    • IT services providers
    • Cybersecurity firms
14. Nuclear Reactors, Materials, and Waste Sector
    • Nuclear power plants
    • Nuclear fuel fabrication
    • Nuclear waste management
    • Medical isotope production
15. Transportation Systems Sector
    • Aviation (airlines, airports)
    • Maritime (ports, shipping)
    • Rail (freight and passenger)
    • Highway and motor carriers
    • Pipeline systems
16. Water and Wastewater Systems Sector
    • Drinking water systems
    • Wastewater treatment plants
    • Water distribution networks
    • Stormwater systems

Threshold Question: Which Entities Must Report?

The Challenge:
Not every entity in these sectors poses equal risk. The final rule must define thresholds to capture entities whose compromise would have significant consequences while avoiding over-inclusion that would overwhelm both covered entities and CISA.