On May 26, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) published a Federal Register notice (Doc. 2026-10417) resetting the calendar for its long-running CIRCIA rulemaking town halls. The sessions had been scheduled for March and April, but were cancelled when Department of Homeland Security appropriations lapsed from February 14 to April 30, 2026. CISA has now consolidated the events into four virtual sessions running June 15 through June 18, 2026, from 11:30 a.m. to 3:30 p.m. Eastern — two general sessions bracketing two four-hour blocks that each cover eight critical-infrastructure sectors.
The procedural reshuffle matters because of what still sits unfinished behind it: the final rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022. As proposed, that rule would require covered critical-infrastructure entities to report significant cyber incidents to CISA within 72 hours, and any ransom payment within 24 hours of disbursement.
What the rule would actually require
CISA published its Notice of Proposed Rulemaking on April 4, 2024, with a comment window that closed July 3, 2024. The proposal is sweeping. By CISA's own regulatory analysis, roughly 316,244 entities would fall within scope across the 16 federally designated critical-infrastructure sectors — of which about 310,855 are small entities. The agency pegged the eleven-year undiscounted cost at $2.6 billion, split between roughly $1.4 billion in industry compliance costs and $1.2 billion in federal costs.
The 72-hour clock does not start when an investigation concludes. It begins when a covered entity reasonably believes a covered incident has occurred — a deliberately early trigger meant to give the government situational awareness while an attack is still unfolding. The 24-hour ransom-payment report must include what the victim knows about the attacker, the amount and mechanism of payment, and the impact of the incident.
The case for the mandate is real
It is worth stating the strongest version of the government's argument before contesting it. Ransomware remains a genuine national-security problem, and the United States has historically flown blind: most extortion incidents are never reported to any federal agency, payments flow to sanctioned and adversary-linked actors in the dark, and CISA cannot warn the next hospital or water utility about a campaign it never learns is happening. Mandatory, time-bound reporting — particularly of ransom payments — is the most direct way to convert thousands of isolated private incidents into a shared early-warning picture. On that logic, a federal floor beats the current patchwork of state breach laws and sector-specific rules that capture only fragments of the threat. This is a legitimate public good, and dismissing it would be a strawman.
But the proposal is broad where it should be sharp
The problem is proportionality, not purpose. A rule that sweeps in over 300,000 entities — the overwhelming majority of them small businesses — risks burying genuinely actionable reports under a flood of low-signal filings, while imposing fixed compliance costs on firms least able to absorb them. A 24-hour ransom-payment window, in particular, lands during the precise hours a victim is triaging an active extortion event, coordinating with counsel and insurers, and deciding whether paying is even lawful. Compliance obligations that compete with incident response can degrade the very security outcome the rule exists to protect.
The overlap problem is equally serious. Critical-infrastructure operators already report to sector regulators, the SEC, the Transportation Security Administration, banking supervisors, and others. CISA itself acknowledged the deadline slip in part to harmonize CIRCIA with these existing frameworks. Duplicative, slightly-mismatched reporting regimes don't add security; they add lawyers, forms, and the risk that a firm reports correctly to one agency and is found non-compliant by another.
A missed deadline becomes a second chance
CIRCIA's statute contemplated a final rule roughly 18 months after the NPRM — by about October 2025. CISA missed that, and per the Office of Management and Budget's regulatory agenda, publication is now expected in May 2026. As CyberScoop reported in September 2025, the agency attributed the delay to the volume of public comments and the need to streamline and de-conflict the requirements. The DHS funding lapse has now pushed the engagement sessions themselves into June.
Delay is usually a failure. Here it is closer to an opportunity. The rescheduled town halls give CISA a final, structured window to narrow scope before the mandate locks in. Three adjustments would preserve the rule's intelligence value while shrinking its drag on innovation and small business:
- Raise the size and materiality thresholds so the rule captures incidents that actually matter to national resilience, rather than every small firm in a covered sector.
- Build genuine reciprocity — a single report to one federal regulator should satisfy CIRCIA, with CISA pulling the data downstream rather than demanding a parallel filing.
- Treat the 24-hour ransom report as a safe harbor, not a trap — explicit assurance that good-faith, timely disclosure will not be repurposed into an enforcement or liability hook against a victim already being extorted.
None of this requires abandoning mandatory reporting. It requires aiming it. A leaner CIRCIA that 316,000 entities can actually comply with — and that doesn't punish victims for cooperating — will generate better threat intelligence than a maximalist rule that buries CISA in noise and invites litigation. The June sessions are the place to make that case, and industry should show up with specifics rather than objections.