Skip to Content

CISA is Open for Comments

on Wednesday, 21 September 2022 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) announced that they have begun the process of soliciting input to draft the regulations required under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  CIRCIA was passed and signed into law by President Biden earlier this year and mandates the reporting of cybersecurity incidents to CISA.  Under the new law CISA has 24 months to solicit input from the public, publish primary draft regulations, receive comments on the draft regulations, and, finally, publish the new regulations for the reporting of cybersecurity incidents to CISA.

CIRCIA requires organizations that fall within one of the sixteen (16) critical infrastructure sectors to report cybersecurity incidents and attacks, including ransomware, to CISA within seventy-two (72) hours.  The reporting requirement does not go into effect until the regulations have been published.  According to CIRCIA the regulations must:

  • [E]establish procedures that clearly describe: 
      • the types of critical infrastructure entities determined to be covered entities;
      • the types of cybersecurity incidents determined to be covered cybersecurity incidents;
      • the mechanisms by which covered cybersecurity incident reports [pursuant to provisions of the Act] are to be submitted;
      • describe the manner in which the Office will carry out enforcement actions … including with respect to the issuance of subpoenas, conducting examinations, and other aspects relating to noncompliance; and
      • any other responsibilities to be carried out by covered entities, or other procedures necessary to implement this section.¹


CISA is especially interested in collecting comments concerning: (1) the meaning of “covered entity”, “covered cyber incident”, “substantial cyber incident” and a number of other terms; (2) Reporting requirements; (3) Reporting procedures; and (4) De-conflicting other federal and state reporting requirements and information sharing.

To participate in the comment process, interested parties should submit comments electronically at and enter CISA-2022-0010 in the search field.


¹CIRCIA at page 10

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500