{"id":203230,"date":"2026-04-08T10:27:00","date_gmt":"2026-04-08T14:27:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/08\/new-federal-cybersecurity-reporting-rules-are-on-their-way-faqs-for-businesses-about-circia-regulations-fisher-phillips\/"},"modified":"2026-04-08T10:45:11","modified_gmt":"2026-04-08T14:45:11","slug":"new-federal-cybersecurity-reporting-rules-are-on-their-way-faqs-for-businesses-about-circia-regulations-fisher-phillips","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/08\/new-federal-cybersecurity-reporting-rules-are-on-their-way-faqs-for-businesses-about-circia-regulations-fisher-phillips\/","title":{"rendered":"New Federal Cybersecurity Reporting Rules are on Their Way: FAQs for Businesses About CIRCIA Regulations | Fisher Phillips"},"content":{"rendered":"

New Federal Cybersecurity Reporting Rules are on Their Way: FAQs for Businesses About CIRCIA Regulations | Fisher Phillips<\/a><\/p>\n

https:\/\/www.jdsupra.com\/legalnews\/new-federal-cybersecurity-reporting-5987747\/<\/a><\/p>\n

Publish Date: 2026-04-08 10:27:00<\/a><\/p>\n

Source Domain: www.jdsupra.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

A sweeping new federal cybersecurity mandate is on its way, and now is the time for businesses to build the infrastructure you\u2019ll need to comply. The Cybersecurity and Infrastructure Security Agency (CISA) is finalizing draft rules that will require a massive swath of American businesses to report certain cyber incidents, putting more structure and teeth behind the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). While the agency has been targeting May 2026 for the release of the final rule, recent federal appropriations disruptions could alter that timeline. But the core obligations are not expected to change from the draft rule, and businesses that wait for the ink to dry before preparing will be starting from behind. Here\u2019s a set of FAQs to help you understand what\u2019s about to happen and what you should do.<\/p>\n

What is CIRCIA, and why should my business care?<\/p>\n

CIRCIA was passed in 2022 as the federal government\u2019s first comprehensive, cross-sector approach to mandatory cyber incident reporting. Once the regulations take effect, the law will establish two core reporting obligations for covered entities:<\/p>\n

\treport significant cyber incidents to CISA within 72 hours of reasonably believing one has occurred; and
\n\treport ransomware payments within 24 hours of making them.<\/p>\n

Why does the government want this information?<\/p>\n

By collecting timely reports, CISA can deploy resources to assist victims, identify attack trends across sectors, and rapidly warn other potential targets before they fall prey to the same threat actor or technique.<\/p>\n

Does CIRCIA apply to my business?<\/p>\n

CISA estimates more than 300,000 entities across 16 critical infrastructure sectors will be subject to these requirements. The proposed rule uses a two-track test for coverage, and either track is sufficient to bring you in.<\/p>\n

\tThe first is size based. Any entity operating in a critical infrastructure sector that exceeds the Small Business Administration\u2019s small business size standards is covered. Those thresholds vary by industry \u2013 generally ranging from 100 to 1,500 employees or between $2.25 million and $47 million in annual revenue, depending on the sector. If you clear those thresholds and you\u2019re in a covered sector, you\u2019re in scope.
\n\tThe second track is sector-based criteria, which can capture entities regardless of size. Under the proposed rule, 16 specific categories of businesses are covered no matter how small because of the outsized risk their disruption would pose.<\/p>\n

What are the 16 business categories that are covered regardless of size?<\/p>\n

The 16 critical infrastructure sectors covered are:<\/p>\n

\tchemical
\n\tcommercial facilities
\n\tcommunications
\n\tcritical manufacturing
\n\tdams
\n\tdefense industrial base
\n\temergency services
\n\tenergy
\n\tfinancial services
\n\tfood and agriculture
\n\tgovernment facilities
\n\thealthcare and public health
\n\tinformation technology
\n\tnuclear reactors, materials, and waste
\n\ttransportation
\n\twater and wastewater systems<\/p>\n

This broad scope captures hospitals and health systems, banks and payment processors, managed service providers, SaaS companies serving enterprise clients in covered sectors, telecom carriers, airlines, utilities, and federal contractors. Many businesses that have never thought of themselves as \u201ccritical infrastructure\u201d will find themselves squarely in scope.<\/p>\n

What counts as a reportable incident?<\/p>\n

The proposed rule defines a \u201csubstantial cyber incident\u201d very broadly. Any of the following triggers a reporting obligation:<\/p>\n

\tSubstantial loss of confidentiality, integrity, or availability of your information systems or data
\n\tSerious impact on the safety or resilience of your operational systems and processes
\n\tDisruption of your ability to deliver goods or services
\n\tUnauthorized access caused by a supply chain compromise, including a breach at a vendor, managed service provider, or cloud platform with access to your systems<\/p>\n

Has CISA provided examples of attacks that qualify?<\/p>\n

Yes, CISA has offered concrete examples of what qualifies: a ransomware attack that encrypts core business systems, a DDoS attack that renders services unavailable for an extended period, unauthorized access via compromised credentials from an MSP, and exploitation of a vulnerability causing extended system downtime.<\/p>\n

When does the 72-hour clock start ticking?<\/p>\n

The 72-hour clock starts when you \u201creasonably believe\u201d a covered incident has occurred, not when your investigation confirms it. That distinction matters enormously for how quickly your internal escalation processes need to move.<\/p>\n

What types of reports are required?<\/p>\n

The proposed rule establishes four report types:<\/p>\n

\tCovered Cyber Incident Report (due within 72 hours)
\n\tRansom Payment Report (due within 24 hours of payment)
\n\tJoint Covered Cyber Incident and Ransom Payment Report if you experience a covered incident and pay a ransom (due within 72 hours)
\n\tSupplemental Report, filed whenever significant new or different information emerges after an initial report, or when a correction is needed<\/p>\n

How do we submit reports?<\/p>\n

Reports are submitted through CISA\u2019s web-based reporting form. CISA has indicated it will create a dedicated online portal at cisa.gov for submissions, and the agency may approve alternative submission methods.<\/p>\n

What must the report include?<\/p>\n

The reports must include a description of affected systems and networks, the nature of the attack, a timeline of the incident, the tactics and techniques used, the impact on operations, and the amount of any ransom payments made and the outcome. CISA acknowledges that initial reports may be incomplete given how early in an investigation the 72-hour deadline falls; supplemental filings are the mechanism for filling in gaps.<\/p>\n

Can third parties submit reports for a business?<\/p>\n

Yes, a third party like outside counsel, a managed service provider, or a cybersecurity firm can submit reports on your behalf. But legal responsibility stays with you. If the report is wrong, incomplete, or late, the covered entity bears the consequences.<\/p>\n

What records must be preserved?<\/p>\n

Covered entities must preserve incident-related records (system and network logs, indicators of compromise, forensic artifacts, records related to ransom payments, etc.) for two years from the date the report was submitted or required.<\/p>\n

What happens if we don\u2019t comply?<\/p>\n

If CISA learns of a potential covered incident (through a press release, a law enforcement referral, or any other source) and has not received a report, it can issue a Request for Information requiring a response within 72 hours. A non-response or inadequate response can escalate to a subpoena compelling disclosure.<\/p>\n

Information provided in response to a subpoena can be shared with the Department of Justice and other regulatory agencies for civil or criminal enforcement. That referral pathway cannot be appealed. And if false or fraudulent statements appear anywhere in a CIRCIA report or response, the exposure includes up to five years of imprisonment, and up to eight years if the offense involves terrorism.<\/p>\n

Are there other consequences for federal contractors?<\/p>\n

For federal contractors, the consequences extend further. CISA can refer noncompliance to the DHS Suspension and Debarment Official, putting a company\u2019s ability to do business with the federal government at risk.<\/p>\n

How does CIRCIA interact with other reporting obligations we already have?<\/p>\n

Many covered entities already operate under a patchwork of cyber reporting requirements, like HIPAA breach notification for healthcare organizations, SEC cyber disclosure rules for public companies, state breach notification statutes, or DFARS and CMMC obligations for defense contractors. CIRCIA doesn\u2019t displace those obligations. It adds to them.<\/p>\n

The proposed rule includes a \u201csubstantially similar\u201d exemption that could allow a CIRCIA report to be satisfied if the entity already reported to another federal agency under a separate law. But this only applies if CISA has a formal agreement in place with that agency establishing the equivalence. Those agreements are still being worked out, and the exemption is narrow.<\/p>\n

Critically, state reporting requirements will not satisfy CIRCIA. Dual reporting \u2013 to both CISA and state regulators \u2013 will be required in most situations.<\/p>\n

What is the timing and expectation for the rule to be finalized?<\/p>\n

CISA was originally required to finalize the CIRCIA regulations by October 2025. The agency pushed that deadline to May 2026, citing the volume of public comments received and the need to streamline requirements and harmonize CIRCIA with other federal cyber reporting frameworks.<\/p>\n

To gather additional stakeholder input before finalizing the rule, CISA had announced a series of virtual town hall meetings for early 2026, organized by sector. Those sessions were disrupted when a federal government appropriations lapse forced their postponement.<\/p>\n

CISA has indicated it will reschedule once funding is restored, but the delay makes a further extension past May 2026 increasingly likely. Regardless of the precise publication date, the core reporting obligations (72-hour incident reporting and 24-hour ransomware payment reporting) are not expected to change.<\/p>\n

What should we be doing right now to prepare?<\/p>\n

Businesses that treat the remaining runway as preparation time will be in a fundamentally better position than those waiting for official publication. Here\u2019s where to focus:<\/p>\n

\tDetermine your coverage status and document it. Don\u2019t assume you\u2019re out of scope. Conduct a deliberate analysis against both the size-based and sector-based criteria. Memorialize your conclusion in writing. If regulators later question whether you engaged the issue in good faith, that documentation matters.
\n\tAssign ownership before an incident occurs. The 72-hour clock starts the moment someone in your organization reasonably believes a covered incident has occurred. Designate a cross-functional response team (legal, IT\/security, communications, and senior leadership) and define in advance who has authority to make the call to file.
\n\tAudit and update your incident response plan. Most existing plans were not built with CIRCIA\u2019s timelines in mind. Map the 72-hour and 24-hour reporting windows explicitly into your escalation workflows. Then pressure-test them. Can your team detect, assess, and report within the window? Where are the gaps?
\n\tInvest in detection and monitoring. You cannot report what you cannot see. CIRCIA\u2019s deadlines require real-time visibility into your systems and networks. Organizations without 24\/7 monitoring capability will struggle to meet the \u201creasonable belief\u201d trigger and execute reporting in time.
\n\tMap your supply chain exposure. A breach at one of your vendors, MSPs, or cloud providers that results in unauthorized access to your systems is a covered incident under CIRCIA. Review third-party contracts for notification obligations that flow to you, and know which external parties have access to your systems and data.
\n\tBuild your data retention practices now. Two years of incident-related records (logs, forensic artifacts, indicators of compromise, etc.) is a significant retention obligation. Assess whether your current systems and policies can support it and make adjustments before an incident puts the requirement in play.
\n\tCoordinate your reporting obligations. If you\u2019re already subject to HIPAA, SEC disclosure rules, state breach laws, or federal contractor requirements, build a unified reporting workflow that accounts for all of them.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

New Federal Cybersecurity Reporting Rules are on Their Way: FAQs for Businesses About CIRCIA Regulations…<\/p>\n","protected":false},"author":1,"featured_media":203231,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/jdsupra-static.s3.amazonaws.com\/profile-images\/og.7295_415.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24,34,27],"class_list":["post-203230","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/203230"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=203230"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/203230\/revisions"}],"predecessor-version":[{"id":203232,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/203230\/revisions\/203232"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/203231"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=203230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=203230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=203230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}