The Cybersecurity and Infrastructure Security Agency (CISA) has recently introduced a comprehensive 447-page draft outlining new regulations for critical infrastructure organizations under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). This initiative marks a significant step forward in strengthening the United States’ cybersecurity posture.

Overview of the Draft Rule

Published in the Federal Register, this rule draft is a response to the legislation passed in 2022, aimed at enhancing the government’s capabilities in tracking and responding to cyber incidents and ransomware payments. Homeland Security Secretary Alejandro Mayorkas emphasized the importance of this move, stating that it will bolster CISA’s ability to identify vulnerabilities and assist victims of cyber incidents.

Key aspects of the rule include:

  • Mandatory reporting of cyber incidents within 72 hours and ransomware payments within 24 hours for certain critical infrastructure organizations.
  • Coverage of incidents that cause substantial harm or pose a significant threat to national security or public health and safety.
  • Assurance of confidentiality for the reports, exempting them from public disclosure laws.
  • A significant financial outlay, with CISA estimating the cost of enforcement at $2.6 billion over 11 years.

Industry and Expert Reactions

The draft has garnered mixed responses from cybersecurity experts. Josh Corman, former leader of CISA’s COVID Task Force, raised concerns over the limited scope of the regulation, stressing the need for inclusivity of small companies in the reporting process. Meanwhile, operational technology security strategist Chris Warner praised the inclusion of ransomware payment tracking.

Experts like Scott Algeier, executive director of IT-ISAC, and Viakoo vice president John Gallagher, emphasize the need for clear definitions and practical reporting thresholds to avoid diverting resources from actual security incidents.

Concerns and Suggestions

Several points of contention have arisen regarding the draft:

  • The focus on large organizations potentially overlooks the critical role of smaller firms in various sectors.
  • The reliance on outdated 2015 sector-specific plans, which may not reflect current industry landscapes.
  • Concerns over the delay in implementation, considering the urgent need for such regulations following incidents like the Colonial Pipeline attack.

Future Steps and Public Involvement

The public will have a 60-day window for commenting on the rule post its official publication on April 4. CISA aims to finalize the rule within the next 18 months, incorporating public feedback to refine and optimize its scope and effectiveness.


CISA’s draft of the cyber incident reporting rule under CIRCIA is a pivotal step in fortifying national cybersecurity. While it is a promising development, the dialogue between CISA, industry stakeholders, and cybersecurity experts is crucial to ensure the rule’s effectiveness and practicality. This ongoing collaboration will be instrumental in shaping a robust cybersecurity framework that safeguards the nation’s critical infrastructure against evolving cyber threats.