CISA set to receive feedback on landmark cyber incident reporting rules

Staff Editor 2026-02-27
CISA set to receive feedback on landmark cyber incident reporting rules

CISA set to receive feedback on landmark cyber incident reporting rules

https://federalnewsnetwork.com/cybersecurity/2026/02/cisa-set-to-receive-feedback-on-landmark-cyber-incident-reporting-rules/

Publish Date: 2026-02-27 17:59:00

Source Domain: federalnewsnetwork.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

CISA’s upcoming townhalls on the “CIRCIA” rule is likely to re-surface a lot of industry consternation about the sweeping cyber incident reporting requirements.

Justin Doubleday@jdoubledayWFED

February 27, 2026 5:56 pm

3 min read

The Cybersecurity and Infrastructure Security Agency is likely to get plenty of feedback in the coming month on tightening definitions, clarifying timelines and potentially narrowing the scope of who exactly must report cyber incidents under a landmark cyber incident reporting law.
CISA earlier this month announced plans to host a series of “townhalls” through March and early April to get feedback on the rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The cyber agency released a notice of proposed rulemaking for CIRCIA in 2024, but the finalization of that rule has stalled as the Trump administration considers changes to the reporting requirements.
CISA said the townhall would provide a “a limited additional opportunity to provide input on refining the scope and burden” of the CIRCIA rule.
In a Feb. 17 note to clients, lawyers with Mayer Brown wrote that the CIRCIA rulemaking “has significant implications for companies across many sectors,” adding that “companies would be wise to view this notice as a signal that the CIRCIA rulemaking is moving forward once more.”]]>

“Companies should be prepared to revisit their assessments of CIRCIA’s potential impact on their cyber incident response processes to ensure that they are well-positioned to respond if CISA does go forward with a final rule in the coming months,” they wrote.
The incident reporting requirements cut across the 16 critical infrastructure sectors. The law generally requires critical infrastructure organizations to report “significant” cyber incidents to CISA within 72 hours.
But Congress gave CISA wide latitude to define the specifics of the cyber incident reporting regulations.
Many industry groups criticized the proposed rule CISA released in 2024 for being too broad in defining what organizations should report cyber incidents to CISA. In the NPRM, the agency estimated the rules will apply to about 300,000 organizations across the country.
Caleb Skeath, a partner at the law firm Covington, said CISA is trying to strike the right balance when it comes to defining which organizations should have to report cyber incidents to the agency.
“Part of the reasoning and thinking for getting this information through an incident reporting requirement is to give CISA a certain degree of visibility across the threat ecosystem, so it’s not necessarily with as much of an enforcement focus as some of the other cyber incident reporting frameworks that we see,” Skeath told Federal News Network. “In that regards, it’s understandable there might be an interest in going fairly broad.”
But, Skeath added, it can be “a double edged sword in certain respects, because if you go too broad, you might end up with more information than you can readily process or absorb.”]]>

Many organizations also criticized how the proposed rule defines a “substantial cyber incident” that must be reported to CISA within 72 hours. The American Hospital Association, for instance, said the rule’s definition was “ambiguous, confusing and does not adequately consider the operational realities or complex interconnectedness of the field.”
In its Federal Register notice announcing the town halls this month, CISA acknowledged issues like the scope of entities covered by the rule and what exactly constitutes a covered cyber incident as “topics of interest” for the upcoming discussions.
“CISA welcomes any specific, actionable improvements that CISA could implement in the final rule to clarify or reduce burden of CIRCIA’s regulatory requirements while enhancing the federal government’s visibility into the cyber threat landscape for critical infrastructure sectors,” acting CISA Director Madhu Gottumukkala wrote in the notice.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

More Stories

Are connected electric vehicles safe? The top threats they face

Are connected electric vehicles safe? The top threats they face

Staff Editor 2026-06-06
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Staff Editor 2026-06-06
Three highlights in latest DHS spending bill

Three highlights in latest DHS spending bill

Staff Editor 2026-06-05

You may have missed

A Gentle Primer on LLM Explainability

A Gentle Primer on LLM Explainability

Staff Editor 2026-06-06
Are connected electric vehicles safe? The top threats they face

Are connected electric vehicles safe? The top threats they face

Staff Editor 2026-06-06
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Staff Editor 2026-06-06
Enhancing in vitro maturation with microfluidics and artificial intelligence

Enhancing in vitro maturation with microfluidics and artificial intelligence

Staff Editor 2026-06-06
Donald Trump, Bernie Sanders and Sam Altman are all talking about public ownership in AI

Donald Trump, Bernie Sanders and Sam Altman are all talking about public ownership in AI

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy