Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Loading Results

Cyber reporting for critical infrastructure

Organizations can help shape scope of reporting requirements

As the Cybersecurity and Infrastructure Security Agency (CISA) moves to finalize its proposed rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), organizations that may fall within its scope have another opportunity to shape it. On February 13, 2026, CISA announced a series of virtual town halls in response to requests for additional engagement.

However, due to the ongoing partial government shutdown currently affecting the Department of Homeland Security (DHS), CISA has postponed the town hall meetings originally scheduled for March 9 through April 2, 2026. CISA has indicated that continued DHS funding lapses will likely delay the issuance of the final rule.

The proposed rule would require prompt reporting of cyber incidents and ransomware payments from an estimated 316,244 affected entities spanning the 16 critical infrastructure sectors — including chemical, communications, energy, financial services, food and agriculture, healthcare, information technology and transportation.

These requirements underscore the need for enterprise-wide visibility into cyber incidents and escalation processes, particularly for complex or diversified organizations, supported by exercises to pressure-test the plan you will follow in the event of a cyber incident.

What and when are the town halls?

CISA has described the town halls as a “limited additional opportunity for external stakeholders to provide input on refining the scope and burden” of the proposed reporting requirements, beyond the formal comment period that closed in July 2024. The agency has indicated it may reopen the comment period in the future, if warranted. In its Federal Register announcement, CISA acknowledged stakeholders’ interest in a final rule that strengthens national cybersecurity while keeping the burden on critical infrastructure entities to a minimum.

CISA will be seeking specific, actionable improvements to clarify reporting requirements and reduce burden, while enhancing the federal government’s visibility into cyber threats affecting critical infrastructure. The agency has noted that the most useful input would be concrete examples of how the proposed rule may impact regulated entities, along with recommendations that would make CIRCIA more effective for critical infrastructure owners and operators.

Once DHS is reopened, CISA will issue an updated notice with a revised town hall schedule on its website. Registered entities should receive email updates, and stakeholders should also monitor the Federal Register to learn of the new dates once rescheduled. Written materials or data related to a town hall may be submitted within seven calendar days following the relevant session, and all sessions will be transcribed and entered into the CIRCIA rulemaking docket.

Factors influencing the rulemaking process

The final rule was expected in May 2026, according to a September 2025 regulatory filing that revised the original October 2025 statutory deadline. While CISA has framed the town hall engagement as an opportunity “to provide input on refining the scope and reduce burden” in response to extensive feedback, several factors appear to be shaping the pace of the rulemaking.

Much of the feedback CISA received following the notice of proposed rulemaking focused on scope, definitional clarity, and reporting burden. Feedback also highlighted potential overlap with existing regulatory regimes, including banking agency requirements, Securities and Exchange Commission (SEC) disclosure rules, and state mandates. Financial services stakeholders have sought carve-outs, citing existing reporting obligations. At the same time, sustained bipartisan congressional interest continues to apply pressure to advance the rule.

Looking ahead

CIRCIA remains a congressional mandate with bipartisan support, but as CISA has noted, the DHS funding lapse will likely delay the issuance of the final rule. Changes in CISA’s staffing since CIRCIA’s passage may also shape the final timeline. Organizations should continue to track the rulemaking, assess whether they may fall within its scope, and, if potentially affected, prepare for compliance obligations that could take effect as soon as late 2026.

Understanding the proposed rule

CIRCIA’s origins trace to the US Cyberspace Solarium Commission, whose recommendations shaped the 2022 statute. The rule represents the most significant expansion of CISA’s authority since the agency was created in 2018. For industries accustomed to existing reporting frameworks, such as financial services, the concern is duplication. For previously under-regulated sectors, CIRCIA represents a significant new compliance obligation.

CISA issued the 447-page proposed rule to implement CIRCIA in March 2024. The following month, the White House issued the National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22), replacing Presidential Policy Directive 21 (PPD-21) as the authoritative guideline for critical infrastructure security. NSM-22 aligns the government around what will be a covered entity. While it maintains PPD-21’s general framework, including the designation of the 16 critical infrastructure subsectors, NSM-22 expands CISA’s oversight roles, highlights the need for operational collaboration, expands the definition of critical infrastructure assets, and prioritizes minimum requirements for risk management.

The aim is to help CISA more effectively identify threat patterns in real time, fill critical information gaps, deploy resources rapidly to help cyber-attack victims and alert others who are potentially affected. More broadly, it supports CIRCIA’s fundamental policy goal: to protect US national security, economic security and public health and safety through a coordinated approach for understanding cyber incidents across critical infrastructure sectors. Such an approach can help address blind spots that can exist in the current landscape of specialized and often sector-specific cyber reporting requirements from an array of federal, state and local authorities.

To meet the regulatory goal of obtaining timely reports of cyber incidents at sufficient scale to identify patterns and provide early warnings, the proposed rule would require an expansive group of covered entities to report cyber incidents within a 72-hour window. Reporting of ransom payments would be due within 24 hours after payment is disbursed.

Although subject to change based on stakeholder input, the measure sets the contours of regulatory expectations and makes clear the extent of its potential reach. What’s less clear is how to resolve the many questions raised by the details in this mammoth proposal.

Affected organizations should continue to seek answers to any unresolved questions via CISA’s town halls, assess their potential exposure and prepare for the requirements of a mandatory, rather than voluntary, cyber disclosure regime. Continue to engage with CISA and industry peers to address areas of concern and ambiguity.

What companies are subject to CISA reporting?

NSM-22 defines “critical infrastructure” as the essential physical and virtual assets and systems that are extremely important for the country and would have a severe negative impact on national security, economic security or public health and safety if they were disabled or destroyed. Critical infrastructure consists of distributed networks, different organizational structures, various operating models, interconnected systems and governance constructs. Under CIRCIA, entities within this defined critical infrastructure are recognized as “covered entities,” subject to specific cyber reporting and management requirements.

In addition to critical infrastructure organizations, NSM-22 includes "systemically important entities" (SIEs). These are entities whose infrastructure is crucial, and if disrupted or not working properly, would have significant negative effects on national security, economic security and public health or safety. CISA will work with other federal agencies to create the list of SIEs, which will not be made available to the public.

CISA anticipates that the process for an entity to determine if it falls within a critical infrastructure sector will typically be straightforward. For example, entities engaged in or facilitating transportation, such as airplane or car manufacturers, airport and train station operators, and trucking companies, can readily self-identify as being in the transportation services sector. Banks, credit unions, credit card companies, registered broker-dealers and other entities providing financial services can similarly self-identify as being in the financial services sector.

What does the rule say?

Where self-identification is less clear, the proposed rule explicitly applies to an entity in a critical infrastructure sector that either exceeds the small business size standard in the Small Business Administration’s regulations or meets one or more sector-based criteria in proposed §226.2(b), regardless of the entity’s size.

The sector-based criteria proposed for chemical companies, for instance, would capture any entity that owns or operates a CFATS-covered chemical facility. The sector-based criteria for healthcare and public health organizations would include, among others, entities that manufacture any Class II or III medical device.

Guidance on sector-based criteria

To justify subjecting smaller entities to CIRCIA reporting if they meet any of these sector-based criteria, CISA reasoned:

[A]n entity’s size does not necessarily reflect its criticality. Some entities in a critical infrastructure sector that fall below the proposed size-based thresholds own or operate systems or assets that would be likely to meet the definition of critical infrastructure set forth by 42 U.S.C. 5195c(e). One of the main purposes of this regulatory program authorized by CIRCIA is to enhance the security and resiliency of critical infrastructure, and therefore, receiving [reports] from as many entities that own or operate critical infrastructure as possible is imperative to meet this directive.

In applying these sector-specific criteria, CISA proposes that the covered entity is “the entire entity … not the individual facilities or functions” that meet the sector-specific criteria. Consequently, a substantial cyber incident experienced by a noncritical part or facility of a covered entity would still need to be reported.

Questions to consider

  • Is your sector considered critical infrastructure under NSM-22?
  • If it is considered critical infrastructure, do you have sufficient information to determine if your organization is a covered entity?
  • Regardless of your organization’s size, would it be considered a covered entity because it meets one or more sector-based criteria in proposed §226.2(b)?
  • Is additional clarity needed to determine whether your organization is a covered entity?

What cyber incidents must be reported?

CIRCIA requires CISA to define the term “covered cyber incident” in its proposed rule. Because the statute requires that covered entities report only those incidents that qualify as covered cyber incidents to CISA, this definition is essential for triggering the reporting requirement. CISA is proposing to define covered cyber incident to mean “a substantial cyber incident experienced by a covered entity.”

In turn, the proposed rule defines “substantial cyber incident” to mean a cyber incident that leads to any of the following:

  1. Substantial loss of confidentiality, integrity or availability of a covered entity’s information system or network.
  2. Serious impact on the safety and resiliency of a covered entity’s operational systems and processes.
  3. Disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services.
  4. Unauthorized access to a covered entity’s information system or network — or any nonpublic information it contains — that’s facilitated through or caused by a compromise of a cloud service provider, managed service provider or other third-party data hosting provider or by a compromised supply chain.

The fourth item above is significant in that unauthorized access alone — without resulting in the impacts described in items 1-3 — would qualify as a substantial cyber incident if it’s facilitated through or caused by a third-party provider or supply chain breach. Given the pervasive use of third-party services across all sectors, this provision could pose unique challenges in determining whether a reportable incident has occurred. Rather than intermittent vendor assessments, organizations should adopt continuous third-party risk monitoring to strengthen governance with actionable KPIs for managing third-party, supply chain, legacy, and cloud-based risks.

Excluded events

CISA proposes to exclude three events from its definition of substantial cyber incident.

  • Any lawfully authorized activity of a federal, state or local government entity, including activities undertaken pursuant to a warrant or other judicial process.
  • Any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system.
  • A threat of disruption as extortion, as described in 6 U.S.C. §650(22).

This last exclusion clarifies that the threat of a system’s disruption to extort a ransom payment that doesn’t result in actual disruption is an imminent but not “actual” event and therefore need not be reported.

Illustrative examples

To help covered entities determine what might and might not qualify as a substantial cyber incident, CISA offers this non-exhaustive list of examples.

Incidents that likely would qualify as substantial cyber incidents

Incidents that likely would NOT qualify as substantial cyber incidents
A distributed denial-of-service attack rendering a covered entity’s service unavailable to customers for an extended period of time. A denial-of-service attack or other incident that only results in a brief period of unavailability of a covered entity’s public-facing website that does not provide critical functions or services to customers or the public.
Any cyber incident that encrypts one of a covered entity’s core business systems or information systems. Cyber incidents that result in minor disruptions, such as short-term unavailability of a business system or a temporary need to reroute network traffic.
A cyber incident that significantly increases the potential for a release of a hazardous material used in chemical manufacturing or water purification. The compromise of a single user’s credential, such as through a phishing attempt, where compensating controls (such as enforced multifactor authentication) are in place to preclude use of those credentials to gain unauthorized access to a covered entity’s systems.
A cyber incident that compromises or disrupts a bulk electric system (BES) cyber system that performs one or more reliability tasks. Malicious software is downloaded to a covered entity’s system, but antivirus software successfully quarantines the software and precludes it from executing.
A cyber incident that disrupts a communications service provider’s ability to transmit or deliver emergency alerts or 911 calls, or results in the transmission of false emergency alerts or 911 calls. A malicious actor exploits a known vulnerability, which a covered entity has not been able to patch but has instead deployed increased monitoring for tactics associated with its exploitation, resulting in the activity being quickly detected and remediated before significant additional activity is undertaken.
The exploitation of a vulnerability resulting in the extended downtime of a covered entity’s information system or network.  
A ransomware attack that locks a covered entity out of its industrial control system.  
Unauthorized access to a covered entity’s business systems caused by the automated download of a tampered software update, even if no known data exfiltration has been identified.  
Unauthorized access to a covered entity’s business systems using compromised credentials from a managed service provider.
 
The intentional, unauthorized exfiltration of sensitive data for an unauthorized purpose, such as through compromise of identity infrastructure or unauthorized downloading to a flash drive or online storage account.  

When are CISA reports due?

CIRCIA requires covered entities to report to CISA covered cyber incidents within 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred, and ransom payments made in response to a ransomware attack within 24 hours after the payment has been disbursed.

What constitutes a reasonable belief?

CISA acknowledges that the point at which a covered entity should have “reasonably believed” a covered cyber incident occurred is subjective and will depend on the specific factual circumstances. Accordingly, the agency isn’t proposing a definition of the term “reasonably believes,” nor does it try to prescribe a specific point in the incident life cycle when a “reasonable belief” will always be realized. Rather, CISA is providing guidance to help covered entities understand when a “reasonable belief” might be expected to have occurred.

CISA doesn’t expect a covered entity to have reached a “reasonable belief” that a covered cyber incident happened immediately upon its occurrence, although this can happen (e.g., when an entity receives a ransom demand simultaneously with discovery that it’s been locked out of its system). An entity may need to perform some preliminary analysis before coming to a reasonable belief that a covered incident occurred. Preliminary analysis may be necessary, for instance, to quickly rule out certain benign causes or determine the extent of the incident’s impact. CISA believes that in most cases, this analysis should be relatively quick (i.e., hours, not days) before a reasonable belief can be obtained, and generally would occur at the subject matter expert level and not the executive officer level. As time is of the essence, the agency expects a covered entity to engage in this preliminary analysis as soon as reasonably practicable after becoming aware of an incident.

Joint reports

A covered entity that experiences a covered cyber incident and makes a ransom payment within 72 hours after it reasonably believes a covered cyber incident has occurred may submit a joint covered cyber incident and ransom payment report to CISA within 72 hours after it reasonably believes the incident has occurred.

Supplemental reports

A covered entity must promptly submit supplemental reports to CISA once it becomes aware of substantial new or different information regarding a previously reported incident. “Substantial new or different information” includes but isn’t limited to any information that the covered entity was required to provide as part of a covered cyber incident report but did not have at the time of submission. This obligation continues unless and until the covered entity notifies CISA that the incident in question has been fully mitigated and resolved.

CIRCIA requires supplemental reports be submitted “promptly,” which CISA interprets as within 24 hours of the triggering event. If a covered entity submits a supplemental report on a ransom payment made after the covered entity submitted a covered cyber incident report, as required by §226.3(d)(1)(ii), it must submit the supplemental report within 24 hours after disbursing the ransom payment.

Questions to consider

  • Do you have the process and capabilities to deliver CISA reports within the proposed time frames?
  • How would the 72-hour reporting requirement affect your engagement with other regulators or government agencies?
  • Does CISA provide enough clarity on the definitions of “substantial cyber incident” and “reasonable belief” to make disclosure decisions within 72 hours?
  • Who in your organization will determine “reasonable belief?”

Is CISA reporting harmonized with other cyber disclosure requirements?

Congress sought to reduce the compliance burden of filing duplicative cyber reports to multiple federal agencies. Under CIRCIA, a covered entity that’s required by law, regulation or contract to report substantially similar information on a covered cyber incident or ransom payment to another federal agency in a substantially similar timeframe doesn’t have to submit a CIRCIA report if CISA has an information-sharing agreement and mechanism in place with the other agency. The law similarly excludes duplicative supplemental reports to CISA.

What does the rule say?

The proposed rule would implement this harmonization mandate in §226.4. That provision would create an exception for a covered entity that’s required to report “substantially similar information within a substantially similar timeframe” to another federal agency, if that agency has an information-sharing agreement in place with CISA.

The proposal sets parameters around when CISA will accept a report made to another agency in satisfaction of CIRCIA’s reporting requirements. Specifically, CISA will enter into an information-sharing agreement with a federal agency — defined in the proposal as a “CIRCIA agreement” — when CISA has determined the agency requires cyber incident reporting on “substantially similar information in a substantially similar timeframe” and the agency has “committed to providing the covered entity’s report to CISA within the relevant deadlines.” CISA commits to working in good faith with other federal agencies to have CIRCIA agreements in place before the final rule’s effective date.

NSM-22 maintains previously stated approaches to achieve harmonization and appoints a National Coordinator and Sector Risk Management Agencies (SRMAs) to synchronize the risk reporting cycle to improve efficiency and reduce duplication of effort.

Will it work in practice?

Whether this commitment will result in actual harmonization of duplicative reports is unclear. Citing its involvement in harmonization efforts by the Cyber Incident Reporting Council (CIRC), which developed a model definition of a reportable cyber incident, CISA observes that CIRCIA reporting requirements are different from, or more stringent than, most existing requirements — including in some respects the CIRC model definition. “While many of the regulations CISA reviewed have some similarities in how they define and interpret what is a reportable cyber incident, the specific language, structure, examples, and actual requirements varied greatly based on the specific agency mission and purpose of the regulation,” CISA noted.

The most effective approach to harmonization, CISA concludes, is for other agencies to use CIRC’s model definition of a reportable cyber incident to the extent possible by revisiting current rules or applying it in future rule-making.

Questions to consider

  • What are potential approaches to harmonizing CIRCIA’s reporting requirements with other existing federal, state or local laws, regulations, directives or similar policies that require disclosure of cyber incidents or ransom payments?
  • How can CISA reduce actual, likely or potential duplication or conflict between CIRCIA reporting and other federal, state or local requirements?
  • What are concrete examples from other laws, regulations, directives and policies that conflict with CIRCIA?
  • What are concrete examples of the burden that comes from fulfilling duplicate reporting requirements and where harmonization matters most?

What enforcement tools does CISA have?

As authorized by CIRCIA, the proposed rule creates enforcement mechanisms for CISA to obtain information from a covered entity about a covered cyber incident or ransom payment that the entity failed to report. These powers include issuing a request for information (RFI), issuing a subpoena to compel disclosure, making a referral to the US attorney general for a civil enforcement action and initiating acquisition, suspension and debarment procedures against entities that do business with the federal government.

Requests for information

CISA could issue an RFI to a covered entity if there’s reason to believe that the entity experienced a covered cyber incident or made a ransom payment but failed to report it. “Reason to believe” that a covered entity failed to submit a CIRCIA report may be based on public reporting or other information in the government’s possession, which includes analysis performed by CISA.

The agency may decide the scope and nature of information necessary to confirm whether a covered cyber incident or ransom payment occurred. Requested information could include electronically stored information, documents, reports, verbal or written responses, records, accounts, images, data, data compilations and tangible items. A covered entity would have to reply in the manner and format, and by the deadline, specified in the RFI.

Subpoena powers

If the entity doesn’t respond by the RFI deadline or responds inadequately, CISA could issue a subpoena to compel disclosure. Subpoenaed information — like that requested in an RFI — could include electronically stored information, documents, reports, verbal or written responses, records, accounts, images, data, data compilations and tangible items.

CISA would have authority to share information submitted in response to a subpoena with the US attorney general or a federal agency if CISA finds grounds for criminal prosecution or enforcement action. The attorney general or agency could use that information to initiate a criminal prosecution or enforcement action. Any decision by CISA to exercise this authority can’t be appealed.

Civil enforcement actions

If a covered entity fails to comply with a subpoena, CISA could refer the matter to the attorney general to bring a civil action to enforce the subpoena. A US district court may order compliance with the subpoena and punish noncompliance as a contempt of court. If the action was based on classified or protected information, that information could be submitted to the reviewing court without the covered entity’s participation. Covered entities wouldn’t have a right to appeal.

Criminal penalties

The proposal also authorizes criminal penalties for false statements. Any person that knowingly and willfully makes a materially false or fraudulent statement or representation in connection with, or within, a CIRCIA report, response to an RFI or response to an administrative subpoena would be subject to penalties under 18 U.S.C. §1001. These include a fine, imprisonment of up to five years (eight years if the offense involves terrorism) or both.

Recognizing the potential for good-faith errors in CIRCIA reports, CISA says it “would not consider scenarios where a covered entity reports information that it reasonably believes to be true at the time of submission, but later learns through investigation that it was not correct and submits a Supplemental Report reflecting this new information, to constitute a false statement or representation.”

Questions to consider

  • Would the proposed enforcement and information-sharing requirements have a chilling effect on your outreach to other agencies?
  • Would uncertainty surrounding enforcement have a chilling effect on your willingness to collaborate with CISA outside of this rule?
  • Are your data retention practices, forensic capabilities, and breach analytics functions sufficient to report and respond to potential requests for information or subpoenas?

{{filterContent.facetedTitle}}

Contact us

Tonya Ugoretz

Cyber & Risk Innovation Institute Leader, PwC US

Email

Shawn Lonergan

Principal, Technology & Operational Resilience, PwC US

Email

Kristen Maynes

Principal, PwC US

Email
Follow us

Required fields are marked with an asterisk(*)

I agree PwC can email me about its insights, newsletters, events, services, products, and offerings.*

Your personal information will be handled in accordance with our Privacy Statement. You can update your communication preferences at any time by clicking the unsubscribe link in a PwC email or by submitting a request as outlined in our Privacy Statement.

Hide

© 2017 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.