CIRCIA Incident Reporting: What "Covered Entities" Must Report and How to Prepare

Let's be honest. When most organizations hear "new cyber reporting requirement," the first reaction is usually frustration. More compliance. More forms. More pressure on already stretched teams.

But CIRCIA compliance is not just another checkbox. It is an operational requirement with a clock attached. If your organization qualifies as a covered entity, you are expected to recognize when a cyber incident becomes reportable, gather specific information quickly, and submit a report to CISA on strict timelines.

Those timelines change how incidents are handled in real life.

Under CIRCIA, organizations must be prepared to submit:

• A 72-hour incident report for covered cyber incidents.
• A 24-hour ransom payment report if a ransomware payment is made.

This guide explains what those requirements mean in practical terms and how to prepare without panic, confusion, or last minute decision making.

What CIRCIA is and why it exists

CIRCIA stands for the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Its purpose is straightforward: to ensure the federal government has timely, consistent visibility into serious cyber incidents affecting critical infrastructure.

Before CIRCIA, reporting was fragmented. Some incidents were reported to sector regulators. Others were reported to law enforcement. Many were not reported at all, or were reported late, with inconsistent details.

CIRCIA changes that by directing CISA to act as a central reporting point for significant cyber incidents affecting critical infrastructure. The goal is not punishment. The goal is awareness, coordination, and national resilience.

For covered entities, this means cyber incidents are no longer purely internal events. They now have external reporting consequences tied directly to time.

The two reporting clocks that matter

The 72-hour incident report

The core requirement under cyber incident reporting requirements is the obligation to submit a report within 72 hours of when a covered entity reasonably believes a covered cyber incident has occurred.

This does not mean 72 hours after full remediation.

It does not mean 72 hours after root cause analysis is complete.

It means 72 hours after the organization reasonably believes a reportable incident has happened.

That distinction is critical. Reporting is expected even when facts are still emerging. Updates can be submitted later as new, material information becomes available.

Organizations that wait for perfect clarity are the ones most likely to miss the deadline.

The 24-hour ransom payment report

If a ransomware payment is made, a separate and faster obligation applies. A 24-hour ransom payment report must be submitted after the payment is made.

This requirement exists regardless of how stressful or chaotic the incident is at the time. Whether payment is coordinated internally or through third parties, the reporting clock still applies.

This is why CISA ransomware reporting must be treated as its own workflow, not an afterthought.

Who is considered a "covered entity"

The term "covered entity" is central to CIRCIA compliance, but it is not always obvious.

In general, covered entities are organizations operating in critical infrastructure sectors or providing services that are essential to the functioning of those sectors. The final determination depends on regulatory definitions, sector classifications, and thresholds set by CISA.

For practical planning purposes, organizations should assume potential coverage if they operate in or directly support areas such as:

• Energy and utilities
• Healthcare and public health
• Financial services
• Transportation and logistics
• Communications and data infrastructure
• Water and wastewater systems

The safest approach is not to wait for absolute certainty. Instead, organizations should document a reasonable analysis of whether they may be covered and prepare accordingly.

If you later determine you are not covered, preparation still strengthens your incident response program.

What qualifies as a covered cyber incident

Not every security alert is reportable. CIRCIA focuses on incidents that are substantial in nature.

A covered cyber incident is generally one that causes meaningful impact to confidentiality, integrity, or availability, or significantly disrupts operations, systems, or services.

In real terms, this includes incidents such as:

• Extended outages affecting customers or critical operations
• Unauthorized access that leads to confirmed data exposure
• Ransomware attacks that encrypt or disrupt systems
• Incidents that impact operational technology or safety systems
• Compromises that materially affect business or industrial processes

This is why severity classification matters. If your internal incident severity model does not align with these concepts, your team will struggle to make reporting decisions under pressure.

The most common failure point: delaying the decision

Most organizations do not fail CIRCIA compliance because they refuse to report. They fail because they cannot decide quickly enough whether an incident is reportable.

During a serious incident, multiple things happen at once:

• Security teams focus on containment.
• IT focuses on restoration.
• Legal asks for verified facts.
• Leadership asks about impact and risk.

If no one owns the reporting decision, hours or days can be lost debating whether the incident is "substantial enough."

CIRCIA does not allow for extended debate. The clock keeps running.

A simple decision framework that works under pressure

Instead of endless discussion, use a two stage filter.

First, confirm that the event is a real cyber incident, not just suspicious activity or noise.

Second, assess impact using predefined criteria tied to availability, integrity, confidentiality, and operational disruption.

If the incident crosses any of those thresholds, treat it as reportable and start the 72-hour incident report process immediately.

This approach favors timely reporting over perfect certainty, which is exactly what the regulation expects.

Ransomware and the separate reporting obligation

Ransomware incidents require special attention because payment decisions often happen outside normal incident response channels.

Legal counsel, insurers, negotiators, and executive leadership may all be involved. Payment may be authorized quickly to restore operations.

That is why CISA ransomware reporting must be embedded into the payment decision itself.

The moment payment is approved or executed, the 24-hour ransom payment report obligation is triggered. Security teams should not be learning about payment after the fact.

The simplest rule is this: if payment happens, reporting starts immediately.

What information you should be ready to provide

Even without knowing the final reporting form, organizations should prepare to provide consistent categories of information, including:

• Basic organizational details and points of contact
• A description of what happened and how it was detected
• Timing information, including discovery and estimated occurrence
• Systems, services, or operations affected
• Observed or suspected impact
• Actions taken to contain or remediate the incident
• Details of any ransom payment, if applicable

You are not expected to have every answer within 72 hours. You are expected to provide what you reasonably know at that time and update as new information becomes available.

Why "reasonably believes" matters

The reporting obligation begins when an organization reasonably believes a covered incident has occurred.

This language matters because it acknowledges uncertainty. It also means organizations must document their judgment.

A best practice is to record the date, time, and reasoning behind the decision that an incident became reportable. This creates a defensible audit trail and shows good faith compliance.

How to prepare before the incident happens

Preparation is the difference between calm execution and chaos.

Effective preparation includes:

• Assigning a single reporting owner and backup
• Defining internal criteria for reportable incidents
• Creating a standard reporting data template
• Mapping technical evidence sources in advance
• Building a clear ransomware payment notification path
• Running tabletop exercises focused on reporting timelines

These steps do not require new tools. They require clarity and ownership.

Common mistakes organizations make

• Waiting for full forensic certainty before reporting
• Failing to connect ransomware payment decisions to reporting
• Letting multiple teams argue over reportability
• Assuming CIRCIA is covered by other regulations
• Not practicing reporting under time pressure

Avoiding these mistakes is often more important than perfect documentation.

Turning compliance into capability

Organizations that handle CIRCIA well do one thing differently: they treat reporting as an operational function, not a legal afterthought.

They build the ability to summarize incidents clearly, quickly, and honestly. That skill applies far beyond CIRCIA.

The reality is simple. If your team can meet a 72-hour incident report deadline during a real crisis, your overall cyber resilience is already stronger.

FAQs

What is CIRCIA compliance in simple terms

CIRCIA compliance means certain critical infrastructure organizations must report serious cyber incidents and ransomware payments to CISA within specific timeframes set by law.

Who is considered a covered entity under CIRCIA

A covered entity is generally an organization operating in or supporting U.S. critical infrastructure sectors that meets criteria defined by CISA in the final CIRCIA rule.

When does the 72-hour incident report clock start

The 72-hour incident report clock starts when the organization reasonably believes a covered cyber incident has occurred, not when the investigation is fully completed.

Does every ransomware attack require CISA ransomware reporting

Not every ransomware attack is reportable, but if a ransom payment is made, a 24-hour ransom payment report is required regardless of whether the broader incident is still under investigation.

Can a company submit updates after the initial CIRCIA report

Yes. Organizations are expected to submit an initial report within the required timeframe and then provide supplemental updates if substantial new information becomes available later.

References

• Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), Congress.gov
• CIRCIA Notice of Proposed Rulemaking, Federal Register
• CISA CIRCIA Overview and Reporting Guidance
• CISA Ransomware Incident Guidance and Reporting Expectations