Key Takeaways
- The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) plans to issue the final rule implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in September 2025.
- Once effective, covered critical‑infrastructure organizations must report cyber incidents to CISA within 72 hours and ransomware payments within 24 hours; the rule applies across all 16 U.S. critical‑infrastructure sectors.
- CISA missed the statutory October 2025 deadline for the final rule, having published the proposed rule in April 2024 and holding additional stakeholder town halls in June 2024 after a spring DHS shutdown delayed scheduling.
- Two federal contracting cybersecurity rules are also slated for finalization in September 2025: one establishing standardized cyber‑requirements for unclassified federal information systems, and another governing cyber‑threat and incident reporting and information‑sharing across agencies.
- These regulatory actions align with the Trump administration’s broader cyber agenda, which includes a forthcoming national cyber strategy, updated federal incident‑reporting rules, and an AI security collaboration framework.
- CISA recently launched ANCHOR‑CI (Alliance of National Councils for Homeland Operational Resilience‑Critical Infrastructure) to enhance government‑industry information sharing and bolster critical‑infrastructure resilience.
- Stakeholders should prepare now for the 72‑hour/24‑hour reporting timelines, align internal processes with the upcoming contracting standards, and engage with ANCHOR‑CI forums to stay ahead of evolving compliance expectations.
Overview of CIRCIA Implementation Timeline
The Cybersecurity and Infrastructure Security Agency (CISA) is moving toward the final rule that will operationalize the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). According to the Unified Agenda of Federal Regulatory and Deregulatory Actions, CISA expects to publish the final regulation in September 2025. This timeline follows the agency’s release of a proposed rule in April 2024 and reflects ongoing efforts to incorporate stakeholder feedback before the rule takes effect. The upcoming final rule marks a significant milestone in federal cyber‑policy, translating congressional intent from 2022 into enforceable obligations for the nation’s critical‑infrastructure owners and operators.
Reporting Obligations Under CIRCIA
Once the CIRCIA final rule becomes effective, it will impose two primary reporting windows on covered entities. Organizations must notify CISA of any covered cyber incident within 72 hours of discovery. In addition, any ransomware payment made in connection with a cyber incident must be reported within 24 hours. These requirements apply uniformly across the United States’ 16 designated critical‑infrastructure sectors, including energy, water, transportation, communications, and financial services. The tight timelines are designed to enable rapid federal situational awareness and facilitate coordinated response efforts.
Status and Delays of the CIRCIA Rule
Although Congress enacted CIRCIA in 2022, the final rule has lagged behind its statutory deadline. CISA missed the October 2025 target for issuing the regulation, a delay attributed in part to the spring 2024 DHS shutdown that disrupted scheduled stakeholder engagements. To mitigate the impact, CISA conducted additional town‑hall meetings in June 2024 to gather further input on the proposed requirements. These outreach sessions aimed to address industry concerns and refine the rule before its eventual release, illustrating the agency’s commitment to a collaborative rulemaking process despite procedural setbacks.
Additional Federal Cybersecurity Rules Expected This Fall
Beyond CIRCIA, the Unified Agenda forecasts two other significant cybersecurity regulations slated for finalization in September 2025. The first is a federal contracting rule that will establish standardized cybersecurity requirements for unclassified federal information systems, aiming to create a uniform baseline across agencies. The second rule concerns cyber‑threat and incident reporting and information‑sharing among federal contractors and agencies. Both regulations originated from proposed versions issued in 2023 and have been anticipated as complementary measures to tighten the federal cybersecurity supply chain and improve cross‑agency situational awareness.
Alignment with Broader Administration Cyber Initiatives
The impending CIRCIA rule and the forthcoming contracting regulations dovetail with the Trump administration’s wider cybersecurity strategy. In February 2025, administration officials unveiled a suite of initiatives, including a new national cyber strategy, an update on federal incident‑reporting protocols, and the development of an artificial‑intelligence security collaboration framework. Together, these efforts seek to harden federal networks, bolster critical‑infrastructure defenses, and foster innovation in cyber defense technologies while ensuring that reporting mechanisms keep pace with evolving threats.
CISA’s ANCHOR‑CI Initiative and Industry Collaboration
To strengthen the partnership between government and industry, CISA recently launched the Alliance of National Councils for Homeland Operational Resilience‑Critical Infrastructure (ANCHOR‑CI). This alliance is designed to expand information‑sharing channels, enhance joint planning exercises, and improve the overall resilience of U.S. critical infrastructure. By bringing together sector‑specific councils, ANCHOR‑CI aims to create a unified forum where best practices, threat intelligence, and mitigation strategies can be exchanged rapidly, thereby supporting the objectives outlined in CIRCIA and related regulations.
Implications for Critical Infrastructure Stakeholders
For owners and operators of critical infrastructure, the approaching CIRCIA deadline necessitates immediate preparation. Entities should review their incident‑detection and response capabilities, ensure that reporting pipelines can meet the 72‑hour/24‑hour windows, and integrate ransomware‑payment tracking into their compliance programs. Simultaneously, stakeholders must monitor the forthcoming contracting rules to align internal cybersecurity policies with the new federal standards. Engaging with ANCHOR‑CI working groups and participating in CISA‑hosted outreach events will help organizations stay informed, share lessons learned, and demonstrate proactive adherence to the evolving regulatory landscape.
Conclusion and Outlook
The federal cybersecurity landscape is poised for significant change this fall, with CIRCIA’s final rule set to impose stringent reporting timelines on critical‑infrastructure entities, complemented by new contracting standards that unify cyber requirements across government programs. These developments reflect a broader administration push to fortify national cyber defenses through strategy updates, AI‑focused collaboration, and enhanced government‑industry partnership via initiatives like ANCHOR‑CI. Organizations that act now to refine their incident‑response mechanisms, align with upcoming contractual obligations, and leverage ANCHOR‑CI forums will be best positioned to navigate the forthcoming regulatory environment and contribute to a more resilient national infrastructure.

