Preparing for CIRCIA'S Reporting Requirements

Preparing for CIRCIA’S Reporting Requirements and Avoiding Its Harsh Penalties

Overview


The US Cybersecurity and Infrastructure Security Agency (CISA) recently published a Notice for Proposed Rulemaking intended to supplement the Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA). The notice offers additional information on how CISA intends to implement CIRCIA, outlining how covered entities must report, and retain information on, substantial cyber incidents and ransom payments once CIRCIA’s reporting and retention requirements take effect in 2026. While CIRCIA is subject to further rulemaking before a final rule is published, the reporting and retention requirements outlined within the notice are the most sweeping to date, posing harsh penalties for noncompliance.

The notice makes clear that the federal government intends to impose criminal and civil liability on individuals, including corporate employees reporting on behalf of a covered entity, who interfere with CISA’s ability to obtain accurate information. The information CISA asks of those entities is wide-ranging and includes a description of security defenses the entity had in place at the time of the incident. Penalties for providing false statements or representations include fines, imprisonment of up to five years, or – if the offense involves international or domestic terrorism – imprisonment of up to eight years. Further, in cases of noncompliance with a request for information (RFI) or a subpoena, CISA reserves the right to refer cases to the attorney general for civil actions or to pursue other punitive measures against the individuals involved, such as contempt of court, penalties, suspension, or disbarment.