Major Cyber Regulations, Including CIRCIA, Set for Finalization This Fall

0
3

Key Takeaways

  • CISA is set to finalize the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule in September 2026, imposing 72‑hour incident reporting and 24‑hour ransomware‑payment reporting on entities across 16 critical‑infrastructure sectors.
  • The rule’s draft has drawn criticism for being overly broad (potentially covering ~300,000 entities) and for ambiguous definitions of reportable cyber incidents, raising concerns about overlap with existing reporting requirements.
  • Two federal‑contracting cybersecurity rules—one standardizing requirements for unclassified IT systems and another governing cyber‑threat incident reporting and information sharing—are also slated for September 2026 finalization.
  • The Department of Defense (DoD) will issue an interim final rule updating the Cybersecurity Maturity Model Certification (CMMC) program to align with NIST SP 800‑171 Revision 3, adding specificity and organization‑defined parameters.
  • DoD plans an August Notice of Proposed Rulemaking (NPRM) to refresh the DFARS clause “Safeguarding Covered Defense Information and Cyber Incident Reporting,” incorporating advanced standards for highly sensitive data, harmonizing terminology, addressing international agreements, and streamlining vendor identification.

Overview of CISA’s CIRCIA Final Rule
The Cybersecurity and Infrastructure Security Agency (CISA) is preparing to publish the final rule for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in September 2026. Mandated by Congress in 2022, CIRCIA requires owners and operators of designated critical‑infrastructure entities to notify CISA of significant cyber incidents and ransomware payments. Once the rule takes effect, it will represent one of the most expansive cyber‑regulatory frameworks ever enacted in the United States, touching sectors ranging from energy and water to health care and chemicals. The agency has already solicited final feedback through a series of townhall meetings held earlier this summer, indicating that the rule is nearing completion after several years of development.

Scope and Reporting Timelines
Under the forthcoming CIRCIA, the reporting obligations will apply to approximately 300,000 entities spread across sixteen critical‑infrastructure sectors identified by the federal government. Covered organizations must submit a cyber‑incident report to CISA within seventy‑two hours of discovering an incident that meets the rule’s threshold. In addition, any ransomware payment made in response to an attack must be reported within twenty‑four hours. These tight timelines are intended to give the government rapid situational awareness, enabling coordinated responses and the dissemination of threat intelligence to other potentially affected parties. The rule also outlines the information that must be included in reports, such as incident description, impact assessment, and mitigation steps taken.

Delays and Criticisms of the Draft Rule
Although Congress passed CIRCIA in 2022, the final rule has been delayed due to substantive concerns about the draft regulations released by CISA in 2024. Industry stakeholders and several lawmakers argued that the draft’s definition of a “reportable cyber incident” was excessively broad, potentially pulling in a vast number of organizations that pose minimal risk to national security or public safety. Critics also pointed to ambiguities in the language that left unclear what constitutes a qualifying incident, creating compliance uncertainty. Furthermore, some observers warned that the CIRCIA requirements could duplicate or conflict with existing incident‑reporting obligations under sector‑specific statutes (e.g., NERC CIP for the electric grid or HIPAA for health care), leading to redundant reporting burdens and possible regulatory friction.

Federal Contracting Cybersecurity Standardization Rule
In tandem with CIRCIA, the Unified Agenda of Federal Regulatory and Deregulatory Actions indicates that a federal contracting rule aimed at standardizing cybersecurity requirements for unclassified information technology systems will also be finalized in September 2026. The rule’s purpose, as described in the regulatory preview, is to ensure that federal information systems are better positioned to defend against cyber threats by establishing a uniform set of contractual cybersecurity requirements across all agencies for unclassified systems. By harmonizing these expectations, the rule seeks to reduce variability in security posture among contractors, simplify compliance verification, and improve the overall resilience of the federal supply chain.

Cyber Threat Information Sharing Rule for Contractors
A second contracting‑focused rule projected for September 2026 finalization addresses cyber‑threat and incident reporting and information sharing. This rule will create a structured mechanism for defense and civilian contractors to share threat indicators, incident details, and mitigation practices with federal agencies and, where appropriate, with other private‑sector partners. The intention is to foster a more collaborative defense posture, enabling faster detection of emerging threats and coordinated response efforts. Like the standardization rule, this initiative builds on earlier proposals dating back to 2023 and is viewed as a cornerstone for maturing the government’s cybersecurity partnership with its contractor base.

CMMC Updates and Transition to NIST 800‑171 Rev 3
The Department of Defense (DoD) continues to mature its Cybersecurity Maturity Model Certification (CMMC) program. An interim final rule slated for release this month will detail the deadline for shifting CMMC assessments from NIST SP 800‑171 Revision 2 to Revision 3. The update introduces added specificity in security requirements and incorporates organization‑defined parameters (ODPs) in select controls, allowing agencies to tailor certain measures to mission‑specific risks while maintaining a baseline of protection. DoD has been gradually increasing the rigor of third‑party CMMC audits; beginning in November 2026, a third‑party CMMC assessment will become a standard requirement for all applicable contracts, marking a significant step toward universal certification across the defense industrial base.

DFARS Clause Update and Future NPRM
Finally, DoD anticipates issuing a Notice of Proposed Rulemaking (NPRM) in August 2026 to refresh the Defense Federal Acquisition Regulation Supplement (DFARS) clause titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” The proposed revision will integrate advanced cybersecurity standards designed to protect especially sensitive information, harmonize terminology across related regulations, address international agreements that affect data handling, and streamline the vendor identification process to reduce administrative overhead. By aligning the DFARS clause with evolving threat landscapes and the broader CMMC framework, the update aims to create a cohesive, end‑to‑end cybersecurity regime for defense contractors—from baseline safeguards through certification verification to incident reporting and information sharing.

Together, these forthcoming regulations signal a coordinated push by civilian and defense entities to raise the cybersecurity posture of the nation’s critical infrastructure and supply chain, balancing the need for robust protection with the imperative to avoid unnecessary duplication and burden on regulated entities.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here