CISA Regulations Regarding Cybersecurity Incidents and Critical Infrastructure Proceeding | News & Events
Publish Date: 2026-06-22 14:45:00
Source Domain: www.clarkhill.com
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was passed in 2022. That law required covered entities who are part of so-called “critical infrastructure” to report cybersecurity incidents and ransomware payments to the Federal government. For cyber incidents, the law required reporting to CISA within 72 hours and for ransomware payments, the reporting is required within 24 hours—both tight turnarounds.
The law tasked CISA-the federal government’s cybersecurity and infrastructure security agency-with coming up with rules and regulations for implementing that law. CISA published proposed rules for comment in 2024. Earlier this year, CISA was to hold a series of town halls to allow for public comment on those proposed rules and to offer thoughts on the implementation of the law, but, those were postponed due to a lapse in Department of Homeland Security funding. With funding now restored, CISA has started to hold those town halls.
What has emerged from the submitted comments and these meetings is several concerns from entities covered by the law, which may offer some insight on the ultimate implementation of the 2022 law. While CISA has not released any information on their final rules and are still collecting submitted materials for consideration, the following issues do appear to be the main focus of interested groups.
Definition of Covered Entities
One concern centered on what entities were to be considered “critical infrastructure.” Under the law, CISA is tasked with defining who is and who is not considered critical infrastructure. CISA recognizes sixteen (16) critical infrastructure sectors[1] “whose assets, systems, and networks, whether physical or virtual, are considered vital to the United States….” These sectors, however, cover a very wide swath of industries and businesses (from nuclear reactors to strip malls).
Not surprisingly, many comments on the proposed rules and participants in the town hall…
 "OpenAI Expands Cybersecurity Efforts With Open-Source Bug-Fixing Initiative – Firstpost")