CISA official says CIRCIA cyber reporting update is 'weeks' away

A top Cybersecurity and Infrastructure Security Agency official on Tuesday promised there would be an update soon on a long-awaited rule to require critical infrastructure owners and operators to report major cyber incidents to the federal government.

The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) required CISA to produce a final rule enacting the law by last October. However, that timeline slipped to May 2026. Agency officials have since indicated the rulemaking process would be tweaked after a version of the rule sparked industry backlash.

“I think that we'll have some news on CIRCIA in pretty short order, in the next couple of weeks, hopefully,” Nick Andersen, executive assistant director for cybersecurity at CISA, told reporters on the sidelines of an event hosted by the Information Technology Industry Council.

Andersen declined to say if the announcement would be about a new rulemaking process or if CISA would stick with the current program.

The 2022 law requires critical infrastructure owners and operators to report to CISA within 72 hours if they suffer a major cyberattack and within 24 hours if they pay a ransomware demand. 

The statute came after a series of high-profile digital attacks, including the 2021 Colonial Pipeline hack.