CISA expects to finalize key cyber reporting rule by September

CISA expects to finalize key cyber reporting rule by September

CISA expects to finalize key cyber reporting rule by September

https://www.nextgov.com/cybersecurity/2026/07/cisa-expects-finalize-key-cyber-reporting-rule-september/414607/

Publish Date: 2026-07-06 17:13:00

Source Domain: www.nextgov.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.
The Cybersecurity and Infrastructure Security Agency expects to finalize a bedrock cybersecurity incident reporting rule in September, requiring critical infrastructure providers to report major hacks directly to the cyberdefense agency, according to a regulation document published last week. The Cyber Incident Reporting for Critical Infrastructure Act requires critical infrastructure entities to report substantial incidents to CISA within 72 hours and ransomware payments within 24 hours. CIRCIA’s underlying measure in Congress first passed in 2022, though the final rule has been delayed for some time. CISA published the first procedural notice for the rule in April 2024 and missed the statutory October 2025 final-rule deadline. Last month, the agency held additional stakeholder town halls to further discuss the directive after a now-resolved shutdown of the Department of Homeland Security in the spring delayed scheduling of those meetings.CIRCIA is significant because CISA has historically relied on voluntary cooperation from critical infrastructure operators, and the law would move a major piece of that relationship into a mandatory reporting regime. The directive grew out of post-SolarWinds and Colonial Pipeline concerns that voluntary reporting left the government blind to major cyber incidents. Russia’s invasion of Ukraine added urgency by raising fears that geopolitical conflict could spill into attacks on U.S. critical infrastructure.