The Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have officially announced the next critical phase of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) implementation. With the publication of the recent Federal Register document 2026-02948, the Federal government is opening the floor for a high-stakes dialogue that will define the regulatory landscape for years to come. Through this move, the two agencies aim to contain incidents in a more robust and pragmatic manner through transparent and enriched reporting.

Last week, through a notice, the Cybersecurity and Infrastructure Security Agency has solicited feedback from critical infrastructure entities on the CIRCIA Act implementation. The agency is now in the final stages of finalizing this regulation. The feedback will be solicited through a series of town hall meetings with sectoral representatives. In these meetings, representatives will get a chance to share their feedback on the pending rule required in the CIRCIA Act. As per the notice, CISA wants to ensure that CIRCIA implementation should be carried out in such a manner as to enhance the security posture of the country while shrinking any unnecessary burden on CI operators.

As with other measures, we should know that the fine print of any reporting mandate essentially sets the context for compliance. This initiative represents CISA’s effort to bridge the gap between national security imperatives and the operational realities of the private sector. Such dialogue and interaction can strengthen the implementation of CIRCIA, enhance enterprise-level security, and ensure the rollout of the new rule in a manner that doesn’t cause any operational or strategic compliance challenges for entities that fall within its purview.

Before we move forward, don’t forget to check out our previous blog post on “NERC CIP Evidence Pack: How to Document SCADA Patch and Change Management for Audits,” here.

The initiative: Refining the CIRCIA framework

At its very core, CIRCIA is designed to provide the federal government with a good measure of real-time visibility into the cyber threat landscape as reflected in reported events. By requiring critical infrastructure entities to report "substantial" cyber incidents and ransom payments, the goal is to identify patterns, deploy resources, and warn others before a localized breach turns into a full-blown national crisis.

However, the Notice of Proposed Rulemaking (NPRM) which is the subject of these upcoming town halls is essentially where details related to the "who, what, and when" will be finalized. CISA is specifically seeking feedback on:

·  The "Covered Entity" definition: Determining whether size-based criteria (such as small businesses) or sector-based criteria (such as energy, water, finance) should take precedence.

·  Substantial incidents: Defining exactly what qualifies as a "substantial cyber incident." If the definition is too broad, many incidents and significant details will get buried in noise; if it's too narrow, then they may miss the signal.

·  Harmonization: Ensuring companies are not required to submit duplicative reports to multiple agencies.

 Background and implications: From legislation to regulation

Signed into law in 2022, CIRCIA was a direct response to a series of cascading failures that impacted the national economy. The most notable incidents were the Colonial Pipeline and SolarWinds cyberattacks. For decades, cyber incident reporting was largely voluntary, diluted and fragmented.

The implications are profound and have a significant bearing on CI operators:

·  Compliance burden: For the first time, thousands of entities, right from rural water districts all the way to global oil conglomerates will have to work with a 72-hour reporting window for incidents and a 24-hour window for ransom payments.

·  Enforcement power: The rule proposes mechanisms for Requests for Information (RFIs) and subpoenas for entities that fail to report, moving from a "partnership-only" model to one backed by enforceable regulatory authority.

·  National defense: By aggregating this data, CISA can pivot from being a reactive responder to a proactive defender, using shared intelligence to harden the nation's collective defenses.

 The town halls: Your seat at the table

As mentioned earlier, CISA has scheduled a series of town hall meetings to capture raw stakeholder feedback. This presents a rare opportunity for CISOs, general counsels, and policy advocates to speak directly to the architects of the rule and present their perspectives directly to policymakers.

· The format: Each session is expected to last roughly two hours.

·  Participation: Stakeholders must register in advance. To ensure maximum participation, CISA is holding both sector-specific and general town halls.

· Strict protocol: Each speaker is typically allotted three minutes to present “actionable” improvements. This constraint encourages concise, actionable recommendations.

· Transparency: All sessions will be recorded and transcribed, with records placed in the official rulemaking docket. If you have data-heavy feedback, you have 7 calendar days post-meeting to submit written supplements.

 Expected Outcomes: What success could look like

The goal of this exercise is a "Goldilocks" final rule: one that is rigorous enough to protect the country but flexible enough not to bankrupt the entities it covers. We expect the following outcomes from this engagement:

· Refined thresholds: A clearer understanding of which "small" entities are truly critical and which can be exempt.

· Standardized reporting: A push toward a "report once" philosophy, where CISA acts as a clearinghouse for other agencies such as the FBI and the SEC.

· Improved guidance: The development of a "library" of incident examples to help organizations decide, in the heat of a breach, whether the 72-hour clock has started.

So, if you represent a critical-infrastructure sector, these town halls are not optional. Instead, they are an essential part of your 2026 risk-management strategy and an opportunity to influence legislation that materially affects your organization.

Read the notice: here

For more information, please reach out to: Nichole Clagett, CIRCIA Deputy Associate Director, Cybersecurity and Infrastructure Security Agency, circia[attherate]cisa.dhs.gov, 202-815-4427.

 Download the ICS Security for transportation and logistics risk assessment guide

Get your IEC 62443 and NIS2 Compliance Checklist here.

Download: Incident Response Plan Template for Critical Infrastructure Cybersecurity