CISA expects to finalize key cyber reporting rule by September
Yuichiro Chino/Getty Images
ByDavid DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW
July 6, 2026 05:13 PM ET
Last month, CISA held additional stakeholder town halls on the forthcoming CIRCIA final rule after a now-resolved DHS funding lapse this spring delayed the meetings.
The Cybersecurity and Infrastructure Security Agency expects to finalize a bedrock cybersecurity incident reporting rule in September, requiring critical infrastructure providers to report major hacks directly to the cyberdefense agency, according to a regulation document published last week.
The Cyber Incident Reporting for Critical Infrastructure Act requires critical infrastructure entities to report substantial incidents to CISA within 72 hours and ransomware payments within 24 hours.
CIRCIA’s underlying measure in Congress first passedin 2022, though the final rule has been delayed for some time. CISA published the first procedural notice for the rule in April 2024 and missed the statutory October 2025 final-rule deadline. Last month,...
Copyright of this story solely belongs to nextgov.com. To see the full text click HERE