The federal government’s most sweeping cyber incident reporting mandate is approaching its final stages, and government contractors across a wide range of industries should be paying close attention. The Cyber Incident Reporting for Critical Infrastructure Act of 2022, known as CIRCIA, will require hundreds of thousands of organizations to report significant cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) on tight timelines. The new requirements are likely to disproportionately impact government contractors because of the significant overlap between companies operating in the infrastructure space and those holding government contracts.  Although the final rule has not yet been published, the core obligations are well established, and organizations that wait until publication to begin preparing risk falling behind. Failure to comply can result in significant consequences, including suspension or debarment.

What Is CIRCIA and Will It Apply to My Company?

CIRCIA was signed into law in March 2022 and directs CISA to develop regulations requiring covered entities to report certain cyber incidents and ransomware payments.

CISA estimates that over 300,000 entities across 16 critical infrastructure sectors[1] will fall within CIRCIA’s scope.

An organization will be “covered” by the disclosure requirements of CIRCIA if it satisfies either of two standards. The first standard is size-based, covering any entity in a critical infrastructure sector that exceeds the SBA’s small business size standards for its industry. The second standard is sector-based, covering any entity regardless of size, operating within 16 specific categories of business (e.g., hospitals, public communication services, or certain defense contractors).  Notably, coverage applies to the entire corporate entity, not just the qualifying division, meaning many businesses not traditionally associated with critical infrastructure may find themselves in scope.

While the requirements of CIRCIA are not yet in effect, implementation is expected soon and without much notice. Initially, CISA faced an October 2025 deadline to finalize an implementing rule. However, this deadline was pushed to May 2026 in order to hold virtual townhalls and consider stakeholder feedback. A lapse in federal appropriations for the Department of Homeland Security forced the agency to postpone the sessions, making further delay beyond May 2026 increasingly likely.

What the Final Rule Is Expected to Require

While certain details may shift in the final rule, the core reporting obligations are statutory requirements that CISA cannot alter through regulation. Once the regulation takes effect, covered entities will have to (1) report substantial cyber incidents to CISA within 72 hours of reasonably believing one has occurred; and (2) report ransomware payments within 24 hours of making them. If both a covered cyber incident and a ransom payment occur, a joint report is due within 72 hours. Supplemental reports may be required if significant additional information is obtained after these initial deadlines.

The proposed rule defines “substantial cyber incident” as a cyber incident that leads to any of the following:

  1. a substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
  2. a serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
  3. a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
  4. unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.

CISA intends to collect reports through a web-based portal at cisa.gov. Reports will need to include a description of affected systems and networks, a timeline of the incident, the tactics and techniques used by the attacker, the security defenses in place before the incident, information about any ransom demands or payments, and the entity’s mitigation efforts.

Covered entities must retain incident-related records, including system logs, forensic artifacts, and indicators of compromise, for at least two years from the date the report was submitted or required.

What Are the Consequences of a Failure to Report

Companies that fail to comply with CIRCIA face referral to the Department of Justice for civil action and/or to other federal agencies for enforcement, including potential suspension or debarment.  CIRCIA grants CISA authority to investigate potential failures to report, including by the use of Requests for Information (RFIs) and/or subpoenas. 

Information submitted to CISA under CIRCIA is subject to restrictions on public disclosure and later use in legal proceedings. These safeguards are intended to encourage prompt and candid reporting without exposing companies to additional legal risk as a result of their compliance.

CIRCIA does not replace existing cyber reporting requirements under other federal or state laws (e.g., obligations under HIPAA, the SEC’s cybersecurity disclosure rules, and/or state breach notification statutes). The final rule may include a narrow exemption where a covered entity is required to make a “substantially similar” disclosure to certain different federal agencies.

Advice for Government Contractors

Businesses should not wait to begin preparing until a final rule is implemented. The reporting obligations and the 72-hour and 24-hour windows will demand a level of operational readiness that takes time to build. The following steps can help organizations position themselves for compliance.

Assess whether you are a covered entity. Evaluate your organization’s potential status as a covered entity by carefully reviewing both the size thresholds and the sector-specific criteria, and create a written record of your determination.

Designate a response team. Establish clear responsibility for the reporting decision and identify who in your organization is authorized to initiate a filing.

Invest in detection and monitoring capabilities. CIRCIA’s deadlines require the ability to detect, assess, and report quickly. Organizations without real-time visibility into their systems and networks will struggle to meet the “reasonable belief” trigger within the reporting window.

Review third-party and supply chain exposure. A breach at a vendor, managed service provider, or cloud provider that results in unauthorized access to your systems may constitute a covered incident under CIRCIA. Review your contracts for notification obligations that flow to your company.

Establish data retention practices. Build or update your data retention program to ensure that incident-related records, including logs, forensic artifacts, and indicators of compromise, are preserved for at least two years.

[1] Covered sectors include: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation; and water and wastewater systems.