Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) announced a series of public town hall meetings to solicit additional stakeholder input on the Notice of Proposed Rulemaking (“Proposed Rule”) implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which CISA published in April 2024.
Background
CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to CISA. While the overarching requirements and structure of the reporting process were established under the law, CIRCIA also directed CISA to issue regulations to provide further detail on the scope and implementation of these requirements. CIRICA required CISA to publish a Final Rule by September 2025, but the agency delayed publication last fall until at least May 2026.
Refining the Scope and Burden of CIRCIA
As discussed in a previous blog post, the Proposed Rule broadly defined covered entities to include any entity that is in one of the 16 critical infrastructure sectors established under Presidential Policy Directive 21 (“PPD-21”) and either (i) does not qualify as a small business under applicable Small Business Administration regulations, or (ii) meets one or more sector‑specific criteria (collectively, “applicability criteria”).
According to the notice, CISA is organizing these town halls for external stakeholders to comment on how the Proposed Rule could be refined to clarify or reduce regulatory burdens while preserving the government’s visibility into cyber threats affecting critical infrastructure. The town halls, which will be held virtually between March 9 and April 2, 2026, will include five sector-specific sessions as well as two general sessions open to all participants (schedule provided below). CISA has emphasized that the town halls are a “limited engagement opportunity for stakeholders,” and it would not be reopening the formal period for the Proposed Rule.
CISA provides fourteen “specific topics of interest” for the town halls that primarily cover three aspects of the Proposed Rule: (1) the scope of the applicability criteria under the covered entity definition, (2) the types of incidents that would qualify as a substantial (i.e., reportable) cyber incident, and (3) harmonizing CIRCIA reporting requirements with existing federal and state, local, tribal, and territorial (“SLTT”) requirements. These topics include:
- Whether size-based criterion should be included, and whether entities that qualify as covered entities solely due to size thresholds, and not because of sector‑specific criteria, should be treated differently or require additional clarification in the Final Rule.
- Whether the Final Rule should include the current sector-based criteria, and whether other lists of entities in critical infrastructure sectors should be included.
- Whether the Final Rule should include additional criteria specific to cover open-source code or software, including the usage of such by managed service providers or cloud service providers.
- Whether CISA’s proposed examples of incidents that likely would or would not constitute a substantial cyber incident are appropriate, and whether additional examples should be added to improve clarity and practical understanding.
- Improvements to the contents of reports and the proposed approach for RFIs and subpoenas.
- Potential approaches to harmonize CIRCIA’s regulatory reporting requirements with other existing federal or SLTT laws, and feedback on proposed interpretations of what constitutes a substantially similar timeframe and substantially similar information.
- How to reduce actual, likely, or potential duplication or conflict between other federal or SLTT laws, regulations, directives, or policies and CIRCIA’s reporting requirements.
Each town hall is intended to be virtual and tentatively scheduled for two hours on the following dates.
- March 9, 2026: Chemical Sector; Water and Wastewater Sector; Dams Sector; Energy Sector; and Nuclear Reactors, Materials, and Waste Sector
- March 12, 2026: Commercial Facilities Sector; Critical Manufacturing Sector; and Food and Agriculture Sector
- March 17, 2026: Emergency Services Sector, Government Facilities Sector, Healthcare and Public Health Sector
- March 18, 2026: Communications Sector; Transportation Systems Sector; and Financial Services Sector
- March 19, 2026: Defense Industrial Base Sector and Information Technology Sector
- March 31, 2026: General Session 1
- April 2, 2026: General Session 2
While the announcement states that CISA is not reopening the public comment period, CISA noted it may do so in the future, and the agency will still accept data or other written materials from participants within seven (7) calendar days of the meeting.
Looking Ahead
This announcement signals a potential shift away from the broad scope and limited exceptions provided in the Proposed Rule. In particular, CISA’s topics of interest suggest that CISA will be receptive to feedback from industry on options to adjust the scope of the Proposed Rule and facilitate harmonization with existing reporting requirements. The latter would be a notable development in comparison to the Proposed Rule, which suggested that there were no existing reporting requirements likely to qualify under CIRCIA’s proposed exception for “substantially similar reported information.” Organizations that wish to participate in the town halls must register via CISA’s website. Organizations are also permitted to submit written materials for consideration as part of the town hall meetings and must provide this information to CISA no later than seven calendar days after the meeting. CISA will release any written materials submitted, transcripts of each meeting, and the names and affiliations of attendees to the public.