CIRCIA Final Rule Is Coming in May: What Your Organization Needs to Do Now
The Cyber Incident Reporting for Critical Infrastructure Act has been law since March 2022. Most organizations in critical infrastructure sectors know it exists. Far fewer have done anything substantive to prepare for it. With CISA now expected to publish the final rule in May 2026, that window is closing fast. This is not a situation where waiting for the final text before taking action is a reasonable strategy.
The core reporting obligations have been stable throughout this whole rulemaking process. Seventy-two hours to report a substantial cyber incident. Twenty-four hours to report a ransomware payment. Those aren’t going to change in the final rule. What May will actually deliver is clarity on scope, definitions, and enforcement details. If you’re waiting on that before doing anything, you’re already behind.
CIRCIA does not require organizations to prevent every incident. It requires them to know when one has occurred and report it quickly. That distinction matters enormously for how you build your compliance posture.
What CIRCIA Actually Requires
CIRCIA applies to covered entities operating across 16 critical infrastructure sectors. Energy, healthcare, financial services, transportation, water systems, communications, and defense industrial base organizations are among those in scope. CISA has estimated the rule will ultimately apply to more than 300,000 entities. The small business exemption provides some relief for organizations below SBA size thresholds, generally fewer than 500 employees or less than $7.5 million in annual receipts, but most mid-size and large organizations in these sectors should assume they are covered.
A covered cyber incident, under the proposed rule, includes any event that causes substantial loss of confidentiality, integrity, or availability of information systems; serious impact on the safety or resiliency of operational systems; or disruption to the ability to deliver goods or services. That definition is broad by design. The intent is to capture the kind of incidents that matter to national security and public safety, not routine IT problems.
The ransom payment reporting requirement is separate from and in addition to incident reporting. An organization that pays a ransom must notify CISA within 24 hours regardless of whether the underlying incident has been reported. These are two distinct obligations with different clocks. Managing them simultaneously under pressure requires preparation that cannot be improvised in the moment.
Where Most Organizations Are Unprepared
The 72-hour reporting window sounds manageable until you actually map out what it demands. First you have to detect that something happened. Then you have to assess whether it clears the covered cyber incident threshold. Then you have to pull together enough factual detail for a credible submission to CISA. All of that happens while your team is simultaneously fighting the incident itself. Organizations that lack real detection and monitoring capability will watch 72 hours disappear before they even have a clear picture of what they’re dealing with.
The workforce problem compounds this. Incident detection, threshold assessment, and regulatory reporting aren’t tasks you hand to a generalist IT staffer at 2am during an active event. They require people who’ve actually practiced this. Who know what a reportable incident looks like, how to scope it quickly, and how to document findings in a way that holds up to scrutiny. That’s not theoretical knowledge you pick up from a policy document.
Then there’s the governance side, which honestly gets the least attention. CIRCIA reporting isn’t a purely technical decision. Legal, executive leadership, communications, and operations all have a seat at the table. If your organization hasn’t figured out who owns the reporting call, who has actual authority to submit to CISA, and how you coordinate across those groups under a hard deadline, no amount of technical capability will save you when it matters.
CISA is currently conducting sector-specific town halls through March and April 2026 to gather input before finalizing the rule. The Healthcare and Public Health sector session is scheduled for March 17th. If your sector has a scheduled session, participating or reviewing the published feedback is worth doing before the final rule arrives.
The Certification Connection
When you look at what CIRCIA actually requires, incident response capability, risk judgment, and governance structure, a few certifications come up immediately for a reason.
CISSP covers the security and risk management domain in depth, including incident response planning, legal and regulatory compliance, and business continuity. The CISSP holder on your team understands how regulatory requirements translate into operational procedures and can help build the reporting infrastructure CIRCIA demands. This is precisely the kind of practitioner organizations need in a decision-making role when a covered incident occurs.
CISM is equally relevant, particularly for the governance layer. CIRCIA reporting is ultimately an organizational decision, not a technical one. Someone has to own the process, coordinate across departments, and take accountability for the submission to CISA. That function maps directly to what CISM certified professionals are trained to do: manage information security programs with clear governance structures and executive accountability.
Treating CIRCIA as a compliance checkbox is the approach most likely to result in a missed reporting window. The organizations that will actually handle this well are the ones that built the underlying capability before they needed it.
A practical note on timing: Even if the final rule’s compliance effective date falls in late 2027 or early 2028, building detection capabilities, defining governance roles, and developing reporting procedures takes time. Organizations that begin now have the option to build deliberately. Organizations that begin after the final rule is published will be building under pressure.
What to Do Before May
The most useful thing any covered entity can do right now is run a simple test. Ask your team three questions: Can we detect a significant incident within hours, not days? Do we have an actual decision process for determining whether something meets the reportable threshold? And is there a named person with real authority who owns the CISA submission? If the answers aren’t immediate and confident, you have your roadmap.
Most organizations will find at least one gap. That’s not a knock on anyone. CIRCIA is genuinely new territory and the rulemaking delays haven’t helped create urgency. But gaps found now get fixed on your schedule. Gaps found during your first covered incident get fixed under a federal reporting clock, which is a significantly worse situation to be in.