Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 05, 2026 · 5 min read

CIRCIA Town Halls Set: Cyber Reporting Rule Lands Soon

CISA quietly published a Federal Register notice on May 26 confirming June 15 through 18 as the new dates for its rescheduled CIRCIA rulemaking town halls. The Cyber Incident Reporting for Critical Infrastructure Act will require covered entities in 16 critical infrastructure sectors to report substantial cyber incidents within 72 hours — and ransom payments within 24 hours — to the federal government.

The original town halls were on the books for March and April 2026 but went sideways during the Department of Homeland Security funding lapse that ended on April 30. CISA has consolidated what was a sprawling sector by sector schedule into two four hour blocks covering eight critical infrastructure sectors apiece, plus two general sessions. The meetings run from 11:30 a.m. to 3:30 p.m. Eastern.

Empty modern government style conference room at evening with a long polished wood table, closed laptops, blue water glasses, microphones at each seat, indigo and deep blue ambient color grading

Key Takeaways

  • CISA published a Federal Register notice on May 26, 2026 rescheduling CIRCIA rulemaking town halls to June 15 through 18, 2026.
  • The rescheduled meetings consolidate previously sector specific sessions into two four hour blocks covering eight sectors each, plus two general sessions, all running 11:30 a.m. to 3:30 p.m. Eastern.
  • The funding lapse at the Department of Homeland Security that ended April 30, 2026 forced the original March and April schedule into the second quarter.
  • Once finalized, CIRCIA requires covered entities to report substantial cyber incidents to CISA within 72 hours and to report any ransomware payment within 24 hours.
  • The reporting obligation applies to covered entities in 16 critical infrastructure sectors — financial services, healthcare, energy, communications, transportation, water systems, IT, defense industrial base, government facilities, and others.

What Is CIRCIA?

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is the law that finally moved the United States from voluntary cyber incident sharing to mandatory federal reporting for the operators of the country's most sensitive infrastructure. The statute passed in 2022. The rulemaking that defines who has to report, what counts as a substantial incident, what gets sent, how long the data is retained, and how it interacts with overlapping disclosure regimes like SEC Item 1.05 has dragged on through draft, comment, and now town hall phases.

The headline numbers are unforgiving by design. Substantial cyber incidents must be reported within 72 hours of the covered entity reasonably believing one occurred. Ransom payments must be reported within 24 hours of the payment being made. Late reports and incomplete reports both expose the entity to subpoena power under the statute, with potential civil litigation referrals to the Department of Justice as the escalation path.

Why the Town Halls Matter

The June 15 through 18 town halls are the last open input opportunity before CISA finalizes the rule. The single most contested question across the comment record so far has been the definition of "substantial" — because the same incident that looks like a substantial breach to a 200 person regional water utility looks like noise to a Fortune 100 cloud provider, and a one size definition forces somebody to over report and somebody else to under report.

Other contested items: how CIRCIA reports interlock with SEC Item 1.05 cybersecurity incident disclosures, how the 24 hour ransom payment clock interacts with Treasury's Office of Foreign Assets Control sanctions advisories, and whether reports submitted to a sector specific regulator should automatically satisfy CISA's obligation.

How Compliance Teams Should Prepare

  • Map your organization to one or more of CIRCIA's 16 critical infrastructure sectors today. If you are not sure whether you qualify as a covered entity, treat that as the first finding to resolve, not the answer.
  • Stand up a single incident response playbook that targets the 72 hour clock as the binding deadline. Multiple parallel disclosure regimes (state breach notification, SEC, sector specific) all start their clocks from different events and the 72 hour window is the tightest.
  • Build a ransom decision tree. If your incident response policy is silent on whether and when you would pay a ransom, the 24 hour reporting clock will start on a decision your leadership has not pre committed to making.
  • Coordinate with outside counsel on the data minimization question. CIRCIA reports become part of a federal record and your privilege posture matters before, not after, the report goes out.
  • Register for and attend the relevant June town halls. Public comment that is on the record before the final rule lands is the only input mechanism left.

For related federal reporting and KEV process context, see CISA opening its KEV nomination form to outside researchers and the new CISA AI binding operational directive.

The Bigger Compliance Picture

CIRCIA is the federal floor. State breach notification laws, the SEC's four day Item 1.05 obligation, FERC, NRC, FDIC, OCC, NCUA, and HIPAA all keep their separate clocks running on top of it. The town halls will not change that overlapping reality — but they are where the final rule's edges get rounded, and where compliance teams find out whether the regulator has heard their concerns. June 15 is on the calendar.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.