CISA expects to finalize key cyber reporting rule by September

https://cdn.nextgov.com/media/img/cd/2026/07/06/070626cyberNG/open-graph.jpg

Yuichiro Chino/Getty Images

ByDavid DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW

July 6, 2026 05:13 PM ET

Last month, CISA held additional stakeholder town halls on the forthcoming CIRCIA final rule after a now-resolved DHS funding lapse this spring delayed the meetings.

The Cybersecurity and Infrastructure Security Agency expects to finalize a bedrock cybersecurity incident reporting rule in September, requiring critical infrastructure providers to report major hacks directly to the cyberdefense agency, according to a regulation document published last week.

The Cyber Incident Reporting for Critical Infrastructure Act requires critical infrastructure entities to report substantial incidents to CISA within 72 hours and ransomware payments within 24 hours.

CIRCIA’s underlying measure in Congress first passedin 2022, though the final rule has been delayed for some time. CISA published the first procedural notice for the rule in April 2024 and missed the statutory October 2025 final-rule deadline. Last month,...

Copyright of this story solely belongs to nextgov.com. To see the full text click HERE

Read more