Insights
Privacy & Security

CISA Seeks Additional Feedback on Cybersecurity Reporting Rules

The Cybersecurity & Infrastructure Security Agency announced a series of town halls to discuss its reporting rules, soliciting feedback on the definition of "covered entities" and other issues
By   Michael T. Borgia
02.17.26
Print this page

The Cybersecurity & Infrastructure Security Agency (CISA) announced a series of virtual town halls to be held in March and April 2026 to solicit more industry feedback on its forthcoming cybersecurity reporting rules. Those rules will require certain entities operating in critical infrastructure sectors to report to CISA "Covered Cyber Incidents" within 72 hours of discovery and "Ransom Payments" with 24 hours of making the payment. CISA was granted authority to issue these rules under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which we discussed in a prior blog post. The agency published its proposed rules (Proposed Rules) in a notice of proposed rulemaking (NPRM) in April 2024.

CISA already has delayed issuance of its final reporting rules following comments from the industry, including substantial criticism of CISA's broad proposed definitions of "Covered Entities" and "covered cyber incidents" subject to the rules. The rules originally were due to be finalized by September 2025. However, after receiving hundreds of comments on its Proposed Rules and criticism from lawmakers (as well as significant feedback to an earlier Request for Information and during a series of listening sessions), CISA delayed its final rules until at least May 2026. We previously discussed some criticisms of the Proposed Rules and CISA's decision to delay finalizing its rules.

CISA announced its latest series of town halls in the Federal Register last Friday, February 13, 2026. That announcement identifies several topics on which CISA would find industry feedback "most useful," including several that have been among the most frequent targets of industry criticism. Those topics include:

  • Sized-based criteria for defining "covered entities." A significant point of contention with the Proposed Rules has been its definition of "covered entities." Many expected that CISA's rules would apply only to entities in critical infrastructure sectors that met certain criteria—for example, entities that operate especially critical systems. However, the Proposed Rules applies broadly to entities in critical infrastructure sectors that meet specific "sector-based criteria" or that exceed small business thresholds from the Small Business Administration (SBA). Critical infrastructure sectors are described broadly under Presidential Policy Directive 21 and include "Commercial Facilities," "Communications," "Energy," "Financial Services," "Healthcare and Public Health," "Information Technology," and others. According to CISA's own analysis in the NPRM, more than 30,000 entities (about 10% of the total number of entities estimated to be covered) would be covered by the rules solely because they exceed the SBA size thresholds—even though they would not meet any of the rules' sector-based criteria. CISA's February 13 announcement says that the agency intends to solicit feedback on both "[t]he scope of entities that would only be considered covered entities because of size-based criterion and would not meet any of the sector-based criteria," as well as whether to include a size-based criterion at all.
  • Sector-based criteria for defining "covered entities." CISA also intends to solicit feedback on issues related to the Proposed Rules' sector-based criteria. The Proposed Rules currently have no sector-specific criteria for entities in the Commercial Facilities, Dams, Food and Agriculture, and Oil and Natural Gas sectors. CISA asks whether sector-specific criteria should be developed for entities if the agency removes or modifies the size-based thresholds. CISA also seeks feedback on whether an alternative set of sector-specific criteria based on the Environmental Protection Agency's Risk Management Program (EPA RMP) should be used for the Chemical sector instead of the criteria currently proposed. The agency also seeks input on whether there are other types of entities that should be included as "covered entities," either instead of or in addition to the Proposed Rules' existing applicability criteria.
  • Criteria for Managed Service Providers (MSPs) or Cloud Service Providers (CSPs). CISA asks for input regarding whether the Proposed Rules should have specific applicability criteria for MSPs and CSPs that use open-source software or reporting requirements for incidents involving open-source software, open-source code, or code repositories. CISA's NPRM asked for feedback on how the rules should address open-source software given the potentially massive downstream effects on critical infrastructure if open-source code contains critical vulnerabilities. The agency noted in the NPRM that it was considering including sector-based criteria for the Information Technology sector that would cover MSPs and CSPs that used open-source software in their proprietary software libraries.
  • Examples of "substantial cyber incidents." The Proposed Rules provide a list of incidents that would and would not constitute a "Substantial Cyber Incident." Under the Proposed Rules, any substantial cyber incident experienced by a covered entity is a covered cyber incident.
  • CISA's proposed interpretations of "substantially similar information" and a "substantially similar time frame." Under the Proposed Rules, covered entities are not required to report a covered cyber incident to CISA if they report "substantially similar information" in a "substantially similar time frame" as what is required under the proposed rules. CISA seeks feedback on the meaning of these terms, which will be consequential for entities that are subject to multiple federal cyber incident reporting rules.
  • Improvements to required contents of incident reports. The Proposed Rules include enumerated requirements for reports of both covered cyber incidents and ransom payments. Information that must be included for covered cyber incidents includes highly detailed information, such as technical details of affected systems and networks, a description of unauthorized access, dates and timelines of the incident, any impact to the entity's operations, description of vulnerabilities exploited, information about tactics, techniques, and procedures (TTPs) used by the attackers, indicators of compromise (IOCs), and mitigation steps taken by the covered entity, among other details. Some industry commentators have raised concerns about entities' ability to provide such detailed information within a short period of time. CISA seeks input on changes to these requirements.
  • Improvements to RFI and subpoena processes. The Proposed Rules permit CISA to send a request for information (RFI) to a covered entity where CISA has a "reason to believe" that the entity experienced a covered cyber incident or made a ransom payment but failed to make a required report. If the covered entity fails to respond to the RFI, CISA then may issue a subpoena. If the covered entity fails to respond to the subpoena, CISA may refer the matter to the Department of Justice for enforcement, including through a contempt proceeding. CISA seeks feedback on potential improvements to these processes.
  • Deconfliction and harmonization with Federal, State, Local, Tribal, and Territorial (SLTT) reporting laws. CIRCIA directs CISA to take various steps to "deconflict" and "harmonize" its reporting requirements with existing federal and SLTT cybersecurity reporting requirements. A report conducted under CIRCIA identified 52 in-effect or proposed incident reporting requirements at the federal level alone, in addition to the data breach reporting laws enacted by every U.S. state and multiple territories. CISA now seeks input on approaches for deconflicting and harmonizing these numerous requirements.

CISA's February 13 announcement says that the agency is not reopening the NPRM's comment period at this time but may elect to do so in the future.

Town Hall Schedule

CISA's town hall series includes five virtual sessions focused on specific sectors, followed by two general virtual sessions:

  • Chemical Sector; Water and Wastewater Sector; Dams Sector; Energy Sector; and Nuclear Reactors, Materials, and Waste Sector—March 9, 2026
  • Commercial Facilities Sector; Critical Manufacturing Sector; and Food and Agriculture Sector—March 12, 2026
  • Emergency Services Sector, Government Facilities Sector, Healthcare and Public Health Sector—March 17, 2026
  • Communications Sector; Transportation Systems Sector; and Financial Services Sector—March 18, 2026
  • Defense Industrial Base Sector and Information Technology Sector—March 19, 2026
  • General Session 1: March 31, 2026
  • General Session 2: April 2, 2026

CISA will post the start and end times for each session at www.cisa.gov/circia. Registration via that website is required for attendees.

+++

DWT's Information Security practice actively advises clients on compliance with cybersecurity reporting requirements across all industries and sectors. We will continue tracking CISA's development of its cyber reporting rules.

Related Insights