CISA Hits Pause: Industry Gets Another Say on Cyber Incident Rule

The Cybersecurity and Infrastructure Security Agency (CISA) announced that it is seeking additional stakeholder feedback on a proposed rule to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This effort is rooted in the prior administrations broader push to strengthen national cyber resilience and could significantly reshape federal cyber reporting requirements.

The agency will host a series of town hall meetings in March to gather more “specific” and “actionable” input from industry groups. Thes meetings are meant to refine the scope and reduce the burden of what has been considered a “sweeping” rule that would require critical infrastructure entities to report substantial cyber incidents and ransomware payments to CISA.

Background: What’s at Stake?

At the center of the discussion is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), a law passed by Congress to improve the federal government’s visibility into significant cyber threats targeting critical infrastructure.

CIRCIA mandates that covered entities report:

• Substantial cyber incidents within a specified time frame
• Ransomware payments shortly after they are made

CISA’s proposed rule, first released in April 2024, is intended to implement that law. But instead of a smooth rollout, it triggered strong pushback from industry groups across multiple sectors.

Critics argue the proposal:

• Goes beyond the law’s intended scope
• Imposes overlapping reporting requirements
• Creates compliance burdens that could strain operational resources

Now, CISA appears to be recalibrating.

Who Will Be at the Table?

Throughout March, CISA will convene town halls with stakeholders across key sectors, including:

• Chemical
• Water
• Energy
• Critical manufacturing
• Communications
• Financial services

These sectors form the backbone of U.S. critical infrastructure—industries whose disruption could have cascading national security and economic consequences.

The agency emphasized that it will not reopen the formal public comment period for the proposed rule at this time, though it “may elect to do so in the future.” Instead, it is using these meetings as a structured forum to gather targeted feedback.

What CISA Wants to Refine

CISA is specifically requesting feedback on several high-impact areas:

1. Who Should Be Covered?

One of the most contentious issues is defining which entities fall under the rule’s reporting requirements. Industry groups have warned that overly broad definitions could sweep in organizations that lack the resources or risk profile Congress intended to regulate.

2. What Counts as a “Substantial” Incident?

Determining what qualifies as a reportable “substantial cyber incident” remains a central challenge. If the threshold is too low, organizations could be forced to report routine security events. Too high, and the government risks missing emerging threats.

3. Avoiding Duplicative Reporting

Many companies already report cyber incidents to sector-specific regulators, state authorities, or federal agencies. Financial institutions, energy companies, and telecom providers, for example, operate under existing cybersecurity disclosure frameworks.

Industry feedback has stressed the importance of harmonizing requirements to avoid forcing companies to submit similar reports to multiple regulators on different timelines and in different formats.

A Delayed Timeline

In its latest regulatory agenda, CISA indicated it expects to issue a final rule by May 2026—well beyond the October 2025 deadline set by Congress in CIRCIA.

The delay reflects the complexity of balancing national security priorities with operational realities. Crafting a rule that enhances visibility into cyber threats without overwhelming private-sector partners is no small task.

Why This Matters

The stakes are high. Cyberattacks on U.S. infrastructure—from ransomware campaigns targeting hospitals to breaches affecting pipelines and utilities—have demonstrated how vulnerable critical systems can be.

At the same time, compliance-heavy rules risk diverting resources from prevention and response toward paperwork and legal review.

CISA’s outreach suggests the agency recognizes this tension. By seeking more granular feedback, it may be aiming to narrow the rule’s scope, clarify definitions, and reduce redundancy—without undermining Congress’s intent to improve cyber threat visibility.

Whether this recalibration satisfies industry concerns remains to be seen. But one thing is clear: the final shape of the CIRCIA reporting regime will influence how the public and private sectors coordinate on cyber defense for years to come.

As the March town halls unfold, stakeholders will have a critical opportunity to shape one of the most consequential cybersecurity regulations in recent U.S. history.