CIRCIA is the Cyber Incident Reporting for Critical Infrastructure Act of 2022. It requires covered critical infrastructure entities to report substantial cyber incidents to CISA within 72 hours and ransom payments within 24 hours.

When does the CIRCIA 72-hour clock start?

From the time the covered entity reasonably believes a covered cyber incident has occurred. This is earlier than SEC Item 1.05's materiality determination but later than initial alert or detection.

How does CIRCIA differ from SEC Item 1.05?

CIRCIA applies to critical infrastructure entities and reports go to CISA confidentially. SEC Item 1.05 applies to public companies and reports are public on EDGAR. CIRCIA's clock is 72 hours from reasonable belief; SEC's is 4 business days from materiality determination.

What is the CIRCIA ransom payment reporting requirement?

Covered entities that make a ransom payment in response to a ransomware attack must report the payment to CISA within 24 hours. The requirement applies whether or not the underlying cyber incident is independently covered.

CIRCIA - Cyber Incident Reporting for Critical Infrastructure Act

Q: Is CIRCIA in effect yet?

The statute was signed on 15 March 2022. CISA published the Notice of Proposed Rulemaking on 4 April 2024. The final rule and effective date are pending as of 2026. Until the final rule, reporting is voluntary.

CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act of 2022, was signed into law on 15 March 2022 as part of the Consolidated Appropriations Act. CIRCIA requires covered entities in U.S. critical infrastructure sectors to report substantial cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransom payments within 24 hours. CISA published the Notice of Proposed Rulemaking on 4 April 2024; the final rule and effective date are pending as of 2026.

Source: CISA CIRCIA page. NPRM published 4 April 2024 in 89 FR 23644.

Reporting Deadlines

72 hours: report a "covered cyber incident" to CISA from the time the covered entity reasonably believes a covered cyber incident has occurred
24 hours: report a ransom payment made in response to a ransomware attack
Supplemental reports: promptly submit updates when substantial new or different information becomes available

Who Is a Covered Entity

Under the proposed rule, covered entities include all entities in the 16 critical infrastructure sectors (defined by Presidential Policy Directive 21) that meet a size threshold or that fall within one of the listed sector-specific criteria. Small businesses below the size-based threshold may still be covered if they operate in specific high-impact roles.

CIRCIA vs SEC Item 1.05

CIRCIA and SEC Item 1.05 are independent regimes that can both apply to the same incident. CIRCIA reports go to CISA confidentially; SEC reports are public on EDGAR. CIRCIA's 72-hour clock starts on reasonable belief; SEC's 4-business-day clock starts on materiality determination. CIRCIA applies to critical infrastructure entities of any structure; SEC Item 1.05 applies to public companies of any sector.

Track the CIRCIA 72-hour clock

IR-OS tracks the CIRCIA 72-hour and 24-hour deadlines, captures the reasonable-belief determination, and produces the audit-ready record CISA expects.

Start free

CIRCIA - Cyber Incident Reporting for Critical Infrastructure Act

Reporting Deadlines

Who Is a Covered Entity

CIRCIA vs SEC Item 1.05

Related Terms

Track the CIRCIA 72-hour clock