Almost two years after seeking stakeholder input about a final rule under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) announced that it will hold virtual town hall meetings for certain industry sectors in March and April 2026 to solicit additional input on the Notice of Proposed Rulemaking (NPRM). Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Rulemaking; Town Hall Meetings. As noted in our prior advisory, CISA extended the deadline to issue final rules to May 2026. According to CISA, the virtual town hall meetings are intended to provide external stakeholders with a limited additional opportunity to help refine the scope and burden of the proposed rule, in response to numerous requests for further engagement and to ensure that the final rule appropriately balances improved national cybersecurity outcomes with minimizing unnecessary compliance burdens.
What is CIRCIA?
As discussed in our prior advisory on April 7, 2024, CIRCIA applies to “covered entities,” which are businesses in a critical infrastructure sector to report significant cyber incidents and ransomware payments to CISA: More specifically, covered entities must report to CISA:
- a “significant cyber incident” that it experiences no later than 72 hours after reasonably believing that the incident has occurred;
- a ransom payment made no later than 24 hours after the ransom payment has been disbursed; or
- if a ransom payment was made relating to a significant cyber incident, the ransom payment and the incident jointly no later than 72 hours after reasonably believing that the incident has occurred.
The proposed rule also would require businesses to provide a variety of technical details about a reported incident, such as the impacted networks and/or devices, the categories of impacted information, the businesses’ security controls, any indicators of compromise, and samples of any malicious software.
Why is CISA Seeking Additional Input?
After publishing the NPRM in March 2024, CISA hosted in-person public listening sessions across the country, conducted virtual sector-specific sessions, and engaged with Sector Risk Management Agencies and other federal agencies to gather input. Despite these efforts and the receipt of numerous comments during the 90-day public comment period, CISA stated that it “has received numerous requests for additional engagement on the CIRCIA rulemaking process and greatly values its stakeholders’ interest in shaping a final rule that maximizes CIRCIA’s impact on our nation’s cybersecurity posture while minimizing unnecessary burden.” CISA has indicated that it is particularly interested in feedback on topics such as the scope of covered entities, the proposed sector-based and size-based criteria, the types and amount of information required to be included in incident reports, and ways to clarify or reduce regulatory burden while still providing the government with timely and actionable cyber threat information.
When are the Virtual Town Hall Meetings?
While in flux due to the partial government shutdown impacting DHS, below are the dates for the upcoming virtual town hall meetings, which stakeholders can register for on CISA’s website. CISA intends to record each town hall meeting and place a transcript of the discussion in the public docket for the CIRCIA rulemaking. In addition, CISA has explained that stakeholders may submit “data or specific written materials” as part of a town hall meeting, provided that such materials are emailed to CISA no later than seven (7) calendar days after the meeting concludes (which we assume means that CISA may consider these submissions in connection with the general sessions, since the materials must be submitted after the town hall meeting and would not otherwise be part of the live discussion).
- Chemical Sector; Water and Wastewater Sector; Dams Sector; Energy Sector; and Nuclear Reactors, Materials, and Waste Sector – March 9, 2026, at 12:00 p.m. (EDT).
- Commercial Facilities Sector; Critical Manufacturing Sector; and Food and Agriculture Sector – March 12, 2026, at 12:00 p.m. (EDT).
- Emergency Services Sector, Government Facilities Sector, Healthcare and Public Health Sector – March 17, 2026, at 11:00 a.m. (EDT).
- Communications Sector; Transportation Systems Sector; and Financial Services Sector – March 18, 2026, at 12:00 p.m. (EDT).
- Defense Industrial Base Sector and Information Technology Sector – March 19, 2026, at 12:00 p.m. (EDT).
- General Session 1: March 31, 2026, at 11:00 a.m. (EDT).
- General Session 2: April 2, 2026, at 11:00 a.m. (EDT).
These town halls signal CISA’s continued focus on finalizing the CIRCIA rulemaking and underscore the importance for companies to proactively evaluate whether they may be subject to CIRCIA, assess the potential operational, legal, and compliance impacts of the proposed reporting requirements, and consider whether and how to engage with CISA before the final rule is issued.
