CISA delays cyber incident reporting town halls due to shutdown

https://federalnewsnetwork.com/cybersecurity/2026/03/cisa-delays-cyber-incident-reporting-town-halls-due-to-shutdown/

Publish Date: 2026-03-09 14:28:00

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

The Cybersecurity and Infrastructure Security Agency is postponing meetings with industry on a forthcoming cyber incident reporting rule due to the ongoing Department of Homeland Security shutdown.
The shutdown is also “likely” to delay the final Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule, CISA confirmed today.
In a notice posted to its website, CISA said it won’t be able to hold planned town halls on CIRCIA due to the lapse in appropriations. The town halls were scheduled for today, March 9, through early April.
Nick Andersen, acting CISA director, blamed the postponement on the “Democrats’ shutdown of DHS” in a statement provided to Federal News Network. The DHS-specific shutdown began on Feb. 14 over disagreements between Senate Democrats and the White House over immigration enforcement reforms.]]>

“Once the appropriations lapse has concluded, CISA will issue an updated notice with a revised town hall schedule and share the schedule on cisa.gov/circia,” Andersen said. “The continued delays associated with the shutdown will likely result in a delay to the issuance of the final rule.”
CISA had planned on hosting a series of virtual meetings with specific industry sectors, as well as two general meetings, starting today, March 9, through early April.
The meetings were expected to give representatives from across critical infrastructure sectors, as well as other members of the public, a chance to provide CISA with more feedback on the landmark CIRCIA rules.
The reporting rules will apply across 16 critical infrastructure sectors, ranging from electric utilities and water systems to hospitals and chemical facilities. Under the regulations, entities will have to report cyber incidents to CISA within 72 hours and ransomware payments within 24 hours.
CISA issued proposed regulations in 2024 under the Biden administration. Last year, the Trump administration delayed issuance of the final CIRCIA rule to get more feedback on the regulations.
When announcing the town halls in February, CISA said the engagements would provide a “a limited additional opportunity to provide input on refining the scope and burden” of the rule.
In a Feb. 17 note to clients, lawyers with Mayer Brown wrote that the rulemaking “has significant implications for companies across many sectors,” adding that “companies would be wise to view this notice as a signal that the CIRCIA rulemaking is moving forward once more.”]]>

“Companies should be prepared to revisit their assessments of CIRCIA’s potential impact on their cyber incident response processes to ensure that they are well-positioned to respond if CISA does go forward with a final rule in the coming months,” they wrote.
Many industry groups had criticized CISA’s proposed rule for being too broad in defining what organizations should report cyber incidents to CISA. In the NPRM, the agency estimated the rules will apply to about 300,000 organizations across the country.
Caleb Skeath, a partner at the law firm Covington, said CISA is trying to strike the right balance when it comes to defining which organizations should have to report cyber incidents to the agency.
“Part of the reasoning and thinking for getting this information through an incident reporting requirement is to give CISA a certain degree of visibility across the threat ecosystem, so it’s not necessarily with as much of an enforcement focus as some of the other cyber incident reporting frameworks that we see,” Skeath told Federal News Network. “In that regards, it’s understandable there might be an interest in going fairly broad.”
But, Skeath added, that can be “a double edged sword in certain respects, because if you go too broad, you might end up with more information than you can readily process or absorb.”
Many organizations also criticized how the proposed rule defines a “substantial cyber incident” that must be reported to CISA within 72 hours. The American Hospital Association, for instance, called the rule’s definition “ambiguous, confusing and does not adequately consider the operational realities or complex interconnectedness of the field.”
In the Federal Register notice announcing the town halls, CISA acknowledged issues like the scope of entities covered by the rule and what exactly constitutes a covered cyber incident as “topics of interest” for the upcoming discussions.
“CISA welcomes any specific, actionable improvements that CISA could implement in the final rule to clarify or reduce burden of CIRCIA’s regulatory requirements while enhancing the federal government’s visibility into the cyber threat landscape for critical infrastructure sectors,” CISA wrote in the Federal Register notice.
]]>