day6

This holiday season—following a year of headline breaches, surging supply-chain attacks, and major regulatory changes—cyber resilience tops every corporate wish list.

The Cybersecurity and Infrastructure Security Agency (“CISA”) remains at the forefront of U.S. cybersecurity amid a turbulent year of leadership change and policy realignment. With the long‑awaited Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) rules slated for May 2026 and a continuing focus on international cyber strategies, the agency is poised to shape the future of critical infrastructure security. CIRCIA will introduce mandatory cyber incident and ransomware payment reporting for covered critical infrastructure, driving faster federal response and shaping compliance programs, contractual obligations, and risk governance across sectors. At the same time, CISA’s 2025–2026 International Strategic Plan outlines the federal government’s purported approach to cross‑border cyber defense—prioritizing partnerships, information sharing, and supply‑chain risk mitigation—with direct implications for transnational firms. Yet CISA faces major challenges, including leadership gaps, workforce constraints, and increased political scrutiny, that may threaten its ability to fulfill its mission in the year ahead.

CIRCIA Finally Takes Center Stage

Congress created CISA in 2018 through legislation signed by President Trump, establishing it as the Department of Homeland Security’s unified federal authority for cybersecurity and critical infrastructure protection. Four years later, in 2022, CIRCIA was enacted to establish a uniform, mandatory federal baseline for reporting significant cyber incidents and ransomware payments to CISA. CIRCIA’s core aim is to improve the federal government’s visibility into threats affecting critical infrastructure and reduce some duplicative and fragmented reporting to the extent practicable through coordination and “report-once” mechanisms, though it will not displace certain sector-specific and other legal reporting obligations.

Prior to CIRCIA, the Cybersecurity Information Sharing Act of 2015 (“CISA 2015”) established a voluntary regime under which non‑federal entities could share cyber threat indicators and defensive measures with the federal government—principally through DHS/CISA—with accompanying liability and other protections. CISA 2015 included a ten-year sunset provision and expired on October 1, 2025; however, on November 12, Congress and President Trump temporarily extended its effective period through January 30, 2026, without substantive changes. Notably, CISA 2015 does not require incident or ransomware payment reporting—a gap CIRCIA was designed in part to address for entities within critical infrastructure sectors. To that end, CIRCIA represents one of the most significant developments in U.S. cyber risk governance. Although the final rule had been expected in October 2025, continued delays now place anticipated finalization in May 2026, leaving operators of critical infrastructure with a narrowing window to prepare for a more structured, time-bound, and standardized reporting regime that will operate alongside existing sectoral requirements.

CIRCIA Unwrapped: Key Reporting Obligations

At the heart of CIRCIA is a simple proposition with complex implications: covered critical infrastructure entities must report to CISA substantial cyber incidents within 72 hours, and ransomware payments within 24 hours.

What Entities Are Covered?

As discussed in a previous client alert, CISA published a Notice of Proposed Rulemaking (“NPRM”) for CIRCIA in April 2024, establishing an intentionally broad scope that encompasses any organization within a critical infrastructure sector that either exceeds the small business size standard or meets specific enumerated criteria. As a result, entities that may not traditionally view themselves as part of critical infrastructure could fall within the regulation’s scope. The NPRM states, “CISA believes that the overwhelming majority of entities in the United States—though not all—fit within one or more of the critical infrastructure sectors and thus would meet the definition of ‘an entity in a critical infrastructure sector.’” Covered sectors include chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, transportation systems, and water and wastewater systems. Based on this broad definition, CISA estimates that more than 300,000 entities will be subject to the regulation—a number that far exceeds the population of federal government contractors.

In practice, entities are considered “covered” if they fall within one of the above sixteen critical infrastructure sectors and exceed the SBA’s small business size standard, or if they meet one of CISA’s sector-based criteria regardless of size. Examples include entities providing wire or radio communications services, emergency services to populations of 50,000 or more, operators of financial sector infrastructure, hospitals with 100 or more beds, certain education agencies, and a broad range of IT vendors—including software developers and managed service providers—that support government or sector operations. As a result, many organizations that interact with critical infrastructure—even if they do not own or operate it—may be subject to CIRCIA’s requirements. According to the NPRM, entities generally not considered part of a critical infrastructure sector include advertising firms, law firms, political parties, graphic design firms, think tanks, and public interest groups.

What Incidents Must Be Reported and How?

CIRCIA creates two fast clocks: a 72-hour report for a “covered cyber incident” once the entity reasonably believes the incident occurred, and a 24-hour report for any ransom payment after it’s made. The regulation requires detailed technical information in these reports, mandates data preservation for two years, and calls for prompt supplemental updates as new facts emerge.

  • Covered Cyber Incident (72 hours): A report must be submitted within 72 hours after the organization reasonably determines it has experienced a “covered cyber incident.” Such incidents are defined as “substantial” events, which may include significant loss of confidentiality, integrity, or availability of information; serious impacts on operational safety or resiliency; disruption of business or industrial operations; or unauthorized access resulting from cloud, managed service, third-party hosting, or supply chain compromises. The “reasonable belief” standard permits a brief, expert-level preliminary assessment (typically hours, not days), and may be met immediately in clear-cut situations. Initial reports may indicate “unknown at this time” for facts that are still emerging.
  • Ransom Payment (24 hours): If a ransom is paid, a Ransom Payment Report must be submitted within 24 hours of the payment, regardless of whether the underlying event also qualifies as a covered incident. “Ransom payment” is broadly construed to include money or other assets (including virtual currency) transferred in connection with a ransomware attack. Ransomware attacks involve unauthorized or malicious code—or threats thereof—used to extort payment by compromising systems. Entities may file a single, consolidated report addressing both the covered incident and the ransom payment when appropriate.
  • Report Content:  Reports must be submitted via the CIRCIA Incident Reporting Form, accessible through CISA’s official website. Each submission requires information on the reporting entity, including full contact details and the identity of the individual responsible for filing. For Covered Cyber Incidents, the entity is required to provide a thorough and technically detailed account of the incident, including a chronological timeline and a precise assessment of the incident’s impact. The report must identify the categories of information reasonably believed to have been accessed or acquired, describe any vulnerabilities exploited, and detail the security measures and defenses in place at the time of the incident. Additionally, it must outline all mitigation and response actions undertaken by the entity. For Ransom Payments, the required disclosures closely mirror those mandated for Covered Cyber Incident Reports, but with information specific to the ransomware event. This includes identifying the precise ransomware variant utilized, as well as providing details regarding the ransom demand, payment instructions, the nature and timing of the payment, and the ultimate outcome of the transaction.
  • Supplemental Report: Covered entities must “promptly” file supplemental reports when substantial new information arises, including after any subsequent ransom payment. Entities may also file an optional closure report once the incident is fully mitigated. Third parties—such as incident response firms, counsel, insurers, or service providers—may submit reports on behalf of the entity, but ultimate compliance responsibility remains with the covered entity.
How Does CIRCIA Affect Existing Reporting Regimes?

CIRCIA does not preempt sectoral rules, like 36‑Hour Banking Cyber‑Incident Notification Rule, so many organizations will face overlapping obligations on different clocks. A covered entity can skip a CIRCIA filing only if it reports “substantially similar” information within a “substantially similar” timeframe to another federal agency that has an information‑sharing agreement with CISA, and the agency must maintain a public catalog of any such agreements. This is a big shift for firms accustomed to 30–60‑day disclosures, and it remains to be seen how broadly these harmonization agreements will materialize. As a result, entities designated as critical infrastructure—including firms in the financial sector—will continue to satisfy applicable supervisory notifications and other federal, state, and self-regulatory reporting requirements alongside CIRCIA, unless and until specific interagency arrangements allow a single submission to satisfy multiple regimes.

How Will CIRCIA Be Enforced?

The NPRM clarifies that federal, state, and local governments are prohibited from using information obtained solely through a report submitted under CIRCIA, or in response to a request for information (“RFI”), as a basis to regulate the activities of a covered entity. However, this protection does not extend to information produced in response to a subpoena; such information may be shared with the Attorney General or the head of a federal regulatory agency and may serve as grounds for criminal prosecution or regulatory enforcement action. CIRCIA equips CISA with a range of enforcement mechanisms to address both suspected failures to report a covered incident and deficiencies in incident reports. CISA may initially issue an RFI, and if the response is insufficient, proceed to issue a subpoena. Continued noncompliance with a subpoena may result in referral to the Attorney General, who may initiate a civil action to enforce the subpoena or seek contempt of court.

CISA Under Pressure

CISA’s statutory mission extends well beyond implementation of CIRCIA. For example, in October 2024, CISA released its Fiscal Year 2025–2026 International Strategic Plan, reflecting a long-recognized operational reality for critical-infrastructure operators and multinational enterprises alike: cyber risk is inherently transnational. Modern supply chains span jurisdictions, threat actors routinely reuse infrastructure and techniques across borders, and regulatory fragmentation creates friction for organizations navigating differing incident-reporting thresholds, data-localization requirements, and sector-specific mandates.

Although the International Strategic Plan remains published, the Trump Administration has either proposed or caused significant reductions to CISA’s funding and staffing, affecting not only the agency’s cross-border work but its entire operational footprint. It recently ended a pay incentive program designed to attract and retain cyber experts at CISA—a workforce already diminished by layoffs, resignations, and reassignments. Earlier this fall, DHS reassigned hundreds of national security specialists, including cyber personnel, to support immigration enforcement initiatives, with compulsory transfers affecting CISA staff who previously focused on critical infrastructure protection. Furthermore, leadership instability and program retrenchment have weakened elements of the nation’s early warning system for cyberattacks, including partnerships between technology firms and federal agencies. Collectively, these developments have disrupted longstanding federal cyber coordination mechanisms and introduced new uncertainty into the national cyber defense posture on which private enterprises depend.

What Companies Should Do Now

While organizations may have little direct influence over restructuring and funding reductions at CISA, they can take proactive steps to prepare for the evolving cyber risk landscape—especially with CIRCIA’s requirements on the horizon. The objective is not merely compliance with CIRCIA; it is building the muscle memory and technical groundwork for faster, clearer decisions under stress, with reporting as an output of sound incident response rather than a scramble at hour 71.

  • Start with governance. Define an integrated incident decision framework that maps investigative milestones to legal triggers, including CIRCIA’s 72-hour requirement and any sectoral obligations. Establish a cross-functional incident steering group—legal, privacy, security operations, communications, and, for critical infrastructure, operations—authorized to make reporting and notification determinations on incomplete information. Document escalation thresholds and recordkeeping practices designed to withstand post-incident scrutiny.
  • Align contracts and third parties. Map critical vendors and upstream dependencies, then update contracts to require timely, standardized incident notifications, cooperation for CIRCIA and sectoral reporting, and clear delineation of forensic responsibilities. For financial services, pay special attention to service providers embedded in transaction flows, settlement functions, and customer identity systems.
  • Exercise and evaluate. Conduct cross-functional tabletop exercises that simulate the first 72 hours of a real incident, including uncertainties, conflicting signals, and decision forks. Use these exercises to test your reporting triggers, internal and external communications, and technical evidence-gathering.
  • Engage leadership and the board. Brief leadership on the coming CIRCIA framework, the status of information-sharing protections, and the secure-by-design implications for procurement and product development. Facilitate scenario-based discussions to move beyond abstract descriptions of risk and reveal specific tradeoffs, such as potential downtime during forensic investigations and the effects of implementing stricter authentication controls on customers.

Looking Ahead

The objective in 2026 is not to turn a private company into its own intelligence agency or a de facto regulator. Instead, it is to develop the connective tissue—within organizations and between public and private partners—that empowers organizations to anticipate and outpace evolving cyber threats. Ropes & Gray will continue to monitor developments affecting CISA and support clients as they prepare for CIRCIA’s implementation in May 2026.