Federal agencies are increasingly incorporating artificial intelligence into the cyberdefenses of government networks, and there’s more still to come, acting Federal Chief Information Security Officer Michael Duffy said Thursday.

“We’re at an exciting time in the federal government to see that we’re not only putting AI in production, but we’re finding ways to accelerate emerging technology across the government, across all missions and all angles,” Duffy said at FedTalks, produced by Scoop News Group. In his “role overseeing federal cybersecurity policy,” he said, he is “able to see these at the ground level, as agencies bring excitement and enthusiasm and hope for what they can optimize through artificial intelligence.”

Cyber attackers are moving faster than ever, and on a much larger scale than before, he said. They’re also using technology in new ways. But it’s not all “doom and gloom” when it comes to the cybersecurity of federal networks, especially because of feds’ move toward AI, Duffy said.

“I’m pleased to say that the advancements that we’ve made over the past decade in the federal government have brought us to this point: Agencies are poised now, postured, positioned, to take advantage of new capabilities, bring them into federal agencies and make them work for the mission,” he said.

The next decade is important, and needs a “clear vision” of the available technologies and the threat landscape, “and how AI-interconnected digital ecosystems will both strengthen and strain that defensive posture,” Duffy said.

The focus now is on protecting sensitive information and making sure the government has efficient and secure interactions with the general public, he said. That includes “leveraging AI to identify vulnerabilities at scale,” Duffy said.

He said that will require the government to update a key document on federal information security, the Office of Management and Budget Circular A-130. A Biden administration executive order from January ordered an update within three years, and a June Trump executive order retained that requirement, albeit with fewer specifications about what the update would entail.

But Duffy noted the document had not been updated since the onset of large-scale AI adoption; its last update was in 2016.

In coordination with the federal chief information officer, Duffy said his office was undertaking a review of AI to measure its strengths and limitations. That includes several steps, among them evaluating the best methods of swiftly adopting AI but with safeguards for proper use.

“We’ll assess the existing cyber defense capabilities within agencies and explore cyber-centric AI use cases,” he also said.

“We’re working with CISOs to rationalize their cybersecurity tool stack to ensure individual agencies are well-postured for the evolving threat environment, while identifying opportunities to eliminate redundant and ineffective systems and capabilities to leverage enterprise-wide capabilities and programs — shared services to gain efficiencies and scale, successful AI pilots occurring within agencies,” he said.

And “we’re working with agencies to increase operational resilience as well, and our collective capacity to respond to AI incidents,” Duffy said.

The post Agencies increasingly dive into AI for cyber defense, acting federal CISO says appeared first on CyberScoop.

The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.

Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget’s Office of Information and Regulatory Affairs published an update that moved the final rule’s arrival to May 2026.

A CISA official told CyberScoop that the move would give the agency time to consider streamlining and reducing the burden on industry of a previously proposed version of the rule, citing public comments in response to that version, as well as harmonizing the law with other agencies’ cyber regulations.

“We received a significant number of public comments on the proposed rule, many of which emphasized the need to reduce the scope and burden, improve harmonization of CIRCIA with other federal cyber incident reporting requirements, and ensure clarity,” said Marci McCarthy, director of public affairs at CISA. “Stakeholder input is extremely important as we work to draft a rule that improves our collective security. CISA remains committed to implementing CIRCIA to maximize impact while minimizing unnecessary burden to entities in critical infrastructure sectors.”

McCarthy said CISA would take the time prior to May to “examine options within the rulemaking process to address Congressional intent and streamline CIRCIA’s requirements.”

A top lawmaker and leading industry group also told CyberScoop the delay could help make those kinds of changes.

House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the Trump administration assured him that it would prioritize soliciting additional feedback from groups that would be affected by the regulations.

“I support the administration’s decision to extend the deadline for CIRCIA’s final rule as long as this additional time is used to properly capture private-sector feedback on the proposed rule’s reporting requirements and ensure the final rule fulfills congressional intent for the law,” he said. “I share the concern of many industry stakeholders that CIRCIA should not place duplicative or overly broad requirements on critical infrastructure owners and operators. Doing so could unnecessarily burden America’s cyber professionals as they work to defend our networks from heightened threats.”

The 2022 law will require critical infrastructure owners and operators to report to CISA within 72 hours if they suffer a major cyberattack, and to report within 24 hours if they pay a ransomware demand. It was inspired by a spate of major cyberattacks, such as the 2021 Colonial Pipeline hack.

But CISA’s proposed rule — and how it interpreted the scope of whom the law would apply to or what kind of incidents would constitute reporting to CISA — had drawn industry criticism from groups that wanted a narrower reading of the definitions of the law’s key terms and phrases.

The Information Technology Industry Council, which had co-signed letters about the proposed regulation, said the delay gives CISA a chance to adopt industry input.

“Enhancing operational efficiency through improved visibility into significant cyber incidents remains a top priority for the tech industry,” said Leopold Wildenauer, director of cybersecurity policy for the group. “CIRCIA will have a significant impact on the U.S. cyber landscape, so it’s critical to get it right. CISA should use this extended timeline to meaningfully incorporate industry input and realign the rule with Congress’s original intent. At the same time, efforts to streamline incident reporting and harmonize requirements across the federal government must move forward to drive better security outcomes.”

Bloomberg Law had earlier reported the planned delay, based on a notice that disappeared from the Office of Information and Regulatory Affairs website for weeks afterward.

Personnel cutbacks at CISA and other developments had long prompted concerns that the agency would not meet the October CIRCIA deadline. Department of Homeland Security Secretary Kristi Noem said in May she would support re-opening industry consultation on the proposed regulation.

The top Democrat on Garbarino’s panel, Mississippi Rep. Bennie Thompson, said the Trump administration appears to have done little to meet the deadline, among other criticisms. He told CyberScoop in an emailed statement that he first learned about the rulemaking time shift last week.

“I’m disappointed that CISA has failed to keep its authorizers — and one of the authors of the CIRCIA — updated of its lack of progress in issuing a final rule,” he said. “I am also disappointed that CISA has yet to initiate an ex parte process to gather additional input to inform the final rule. All evidence suggests the administration burned seven months doing nothing while it could have been engaging with stakeholders and working toward a final rule. Full implementation of CIRCIA will enhance our collective ability to detect and disrupt cyber threats and, if done right, drive harmonization of cyber incident reporting rules.”

The former CISA official who ran the CIRCIA program, Lauren Boas Hayes, wrote in an op-ed for CyberScoop in July that it was always going to be difficult for CISA to meet the October deadline without a confirmed director. The Senate Homeland Security and Governmental Affairs Committee has since approved the nomination of Sean Plankey, but the full Senate has yet to vote to confirm him.

“I am happy to see that they are acknowledging that and moving the deadline to a reasonable timeframe so that they can make those policy decisions, give the program clear prioritization and direction, and continue to move towards a CIRCIA final rule that will have positive impacts for the nation and and for our national security,” Boas Hayes told CyberScoop in response to the shifted deadline. “I hope that the acting director of CISA is providing that clear guidance and prioritization to the staff so that they can continue to make progress now and when the CISA director joins the agency and is on-boarded fully and ready to make all those policy decisions.” 

The notice about the delay clears up uncertainty about CISA’s plans, said Caleb Skeath, a partner at the Covington law firm.

“It helps provide some clarity on what the next steps are. We did have a statutory deadline for having these rules published, but there had not been a lot of information coming out of CISA for a pretty long period of time since the comment period,” he said. “And it’s a very broad, wide-ranging rule that’s going to impact a lot of entities across a lot of industry sectors, and is going to require very quick reporting of a lot of information about cybersecurity incidents.”

There are limits to the kinds of changes the Trump administration could make to the proposed regulation without going to Congress for additional leeway, Skeath said. And it’s possible that it could take extra time beyond publication of a final rule in May for the regulation to go into effect, he said.

Updated 9/8/25: This story was updated to include comments from Thompson and Boas Hayes.

The post CISA pushes final cyber incident reporting rule to May 2026 appeared first on CyberScoop.