The CISA Industrial Control Systems Cyber Incident Analysis Act (CIRCIA) requires critical infrastructure operators to report certain cybersecurity incidents to the federal government within defined timeframes. Many industrial operators are uncertain whether CIRCIA applies to them and what they must report. The honest answer: CIRCIA's scope is still being clarified, but the law exists and CISA is beginning to enforce it. If you operate critical infrastructure, you should assume CIRCIA applies to you and prepare now.
Unlike NERC CIP, which applies primarily to electric utilities, CIRCIA applies broadly to organizations that operate critical infrastructure across energy, water, communications, transportation, and other sectors. If you operate a facility that, if disrupted, would affect critical infrastructure or public health, CIRCIA likely applies to you. CISA's definition of "significant incident" is still evolving, but the trend is toward lower thresholds. Better to err on the side of reporting than to miss a requirement.
What CIRCIA Requires
CIRCIA requires reporting of cybersecurity incidents to CISA that involve industrial control systems or critical infrastructure. Incidents must be reported within 72 hours of discovery. The report must include details about the incident, its scope, affected systems, and response actions. The directive emphasizes speed over completeness—CISA understands that you may not have all the details 72 hours after discovering an incident. Report what you know, and provide updates as you learn more.
Organizations can report incidents directly to CISA through a secure online portal or through third parties (security service providers, consultants). Many organizations find that using a trusted third party handles the logistics and reduces the administrative burden. Reporting does not trigger automatic investigation or mandatory disclosure. CISA may contact you for additional information, but the initial report is just that—a report.
Preparing for CIRCIA Reporting Obligations
- Clarify CIRCIA applicability: Determine whether your operation falls under critical infrastructure and whether CIRCIA applies to you. Consult with your legal team, your industry association, and CISA if needed. Document this determination.
- Define "significant incident": CIRCIA's definition is evolving. Create an internal definition of what constitutes a reportable incident for your organization. Err on the side of reporting. Include in your incident response playbook a decision point: is this incident CIRCIA-reportable?
- Build a reporting process: Define who can authorize a CIRCIA report within your organization. Establish a process for gathering the information CISA requires. Know how to access CISA's portal and practice uploading a test report.
- Prepare initial reporting templates: Create a template for the initial 72-hour report. Include fields for incident discovery date, affected systems, initial scope, and response actions to date. This template lets you report quickly without missing critical information.
Reporting and Legal Considerations
Organizations sometimes fear that reporting an incident to CISA will expose them to liability. In practice, CIRCIA reporting is protective. It establishes that you discovered and reported an incident responsibly. It creates a record of your incident response. Failure to report, if CIRCIA applies to you, is the actual liability risk. We strongly recommend erring on the side of reporting.
We help critical infrastructure operators understand their CIRCIA obligations, prepare reporting processes, and ensure they're ready if an incident occurs. Let's discuss CIRCIA preparedness for your organization.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.