CISA Revises Town Hall for Cyber Incident Reporting

What Happened

The Cybersecurity and Infrastructure Security Agency (CISA) has announced a revised schedule for its stakeholder engagement town halls focused on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The updated timeline extends the period for public consultation, with virtual sessions now scheduled through late 2026. This adjustment follows feedback from industry partners who requested additional time to review proposed reporting requirements and submit comments. The town halls aim to refine how critical infrastructure entities must report cyber incidents, including ransomware payments, within specified timeframes.

Why It Matters

CIRCIA mandates that covered critical infrastructure organizations report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. The revised town hall schedule directly impacts compliance timelines and regulatory expectations. For security teams, this means preparing internal incident reporting workflows that align with impending federal requirements. The extended engagement period provides a window for organizations to influence the final rulemaking, particularly around definitions of “substantial” incidents and reporting exemptions. Non-compliance risks enforcement actions, including referrals to the Department of Justice for willful violations. Any organization operating in sectors identified as critical (energy, healthcare, finance, water, transportation, etc.) must track this schedule closely to ensure their reporting mechanisms are ready when the final rule takes effect.

Technical Details

While CIRCIA does not introduce new technical vulnerabilities, its reporting requirements impose process changes on incident response. Covered entities must:

• Implement automated incident detection and triage to meet the 72-hour reporting window
• Establish secure channels for reporting incidents, likely through CISA’s forthcoming centralized submission portal
• Document ransomware payment decisions, including negotiation details, to satisfy 24-hour notification mandates
• Maintain logs of all reportable events, as CISA may request supplemental data during investigations

The rule applies to both direct attacks and supply chain incidents that affect covered systems. Entities should review their current SIEM configurations and incident response playbooks to ensure they can capture and escalate events meeting CIRCIA’s reporting thresholds.

Immediate Risk

The immediate risk is low for active exploitation, as CIRCIA remains in the rulemaking phase. However, organizations face regulatory risk if they fail to prepare. The revised town hall schedule extends the comment period, meaning final implementation may be delayed into 2027. This gives defenders time to audit current incident response capabilities against proposed requirements. The primary urgency is for legal and compliance teams to engage with CISA now, as the rule’s definitions of “covered entities” and “substantial incidents” may shift based on stakeholder input. Delaying engagement could result in reporting obligations that are overly broad or difficult to meet.

Security Insight

Most organizations focus CIRCIA compliance on technical detection and reporting pipelines, but the real challenge will be operationalizing the 24-hour ransomware payment notification. This requirement demands pre-established internal approval chains for ransom decisions, which many organizations lack. Security teams should use this extended comment period to build cross-functional incident response playbooks that integrate legal, executive, and finance teams into a single reporting workflow, not just technical responders. CISA’s town halls are an opportunity to ask for clarity on how the 24-hour clock starts, especially if payments involve complex cryptocurrency transactions or third-party negotiators.

Further Reading

• Latest Security News
• CVE Advisories
• Data Breach Reports