The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.

Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget’s Office of Information and Regulatory Affairs published an update that moved the final rule’s arrival to May 2026.

A CISA official told CyberScoop that the move would give the agency time to consider streamlining and reducing the burden on industry of a previously proposed version of the rule, citing public comments in response to that version, as well as harmonizing the law with other agencies’ cyber regulations.

“We received a significant number of public comments on the proposed rule, many of which emphasized the need to reduce the scope and burden, improve harmonization of CIRCIA with other federal cyber incident reporting requirements, and ensure clarity,” said Marci McCarthy, director of public affairs at CISA. “Stakeholder input is extremely important as we work to draft a rule that improves our collective security. CISA remains committed to implementing CIRCIA to maximize impact while minimizing unnecessary burden to entities in critical infrastructure sectors.”

McCarthy said CISA would take the time prior to May to “examine options within the rulemaking process to address Congressional intent and streamline CIRCIA’s requirements.”

A top lawmaker and leading industry group also told CyberScoop the delay could help make those kinds of changes.

House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the Trump administration assured him that it would prioritize soliciting additional feedback from groups that would be affected by the regulations.

“I support the administration’s decision to extend the deadline for CIRCIA’s final rule as long as this additional time is used to properly capture private-sector feedback on the proposed rule’s reporting requirements and ensure the final rule fulfills congressional intent for the law,” he said. “I share the concern of many industry stakeholders that CIRCIA should not place duplicative or overly broad requirements on critical infrastructure owners and operators. Doing so could unnecessarily burden America’s cyber professionals as they work to defend our networks from heightened threats.”

The 2022 law will require critical infrastructure owners and operators to report to CISA within 72 hours if they suffer a major cyberattack, and to report within 24 hours if they pay a ransomware demand. It was inspired by a spate of major cyberattacks, such as the 2021 Colonial Pipeline hack.

But CISA’s proposed rule — and how it interpreted the scope of whom the law would apply to or what kind of incidents would constitute reporting to CISA — had drawn industry criticism from groups that wanted a narrower reading of the definitions of the law’s key terms and phrases.

The Information Technology Industry Council, which had co-signed letters about the proposed regulation, said the delay gives CISA a chance to adopt industry input.

“Enhancing operational efficiency through improved visibility into significant cyber incidents remains a top priority for the tech industry,” said Leopold Wildenauer, director of cybersecurity policy for the group. “CIRCIA will have a significant impact on the U.S. cyber landscape, so it’s critical to get it right. CISA should use this extended timeline to meaningfully incorporate industry input and realign the rule with Congress’s original intent. At the same time, efforts to streamline incident reporting and harmonize requirements across the federal government must move forward to drive better security outcomes.”

Bloomberg Law had earlier reported the planned delay, based on a notice that disappeared from the Office of Information and Regulatory Affairs website for weeks afterward.

Personnel cutbacks at CISA and other developments had long prompted concerns that the agency would not meet the October CIRCIA deadline. Department of Homeland Security Secretary Kristi Noem said in May she would support re-opening industry consultation on the proposed regulation.

The top Democrat on Garbarino’s panel, Mississippi Rep. Bennie Thompson, said the Trump administration appears to have done little to meet the deadline, among other criticisms. He told CyberScoop in an emailed statement that he first learned about the rulemaking time shift last week.

“I’m disappointed that CISA has failed to keep its authorizers — and one of the authors of the CIRCIA — updated of its lack of progress in issuing a final rule,” he said. “I am also disappointed that CISA has yet to initiate an ex parte process to gather additional input to inform the final rule. All evidence suggests the administration burned seven months doing nothing while it could have been engaging with stakeholders and working toward a final rule. Full implementation of CIRCIA will enhance our collective ability to detect and disrupt cyber threats and, if done right, drive harmonization of cyber incident reporting rules.”

The former CISA official who ran the CIRCIA program, Lauren Boas Hayes, wrote in an op-ed for CyberScoop in July that it was always going to be difficult for CISA to meet the October deadline without a confirmed director. The Senate Homeland Security and Governmental Affairs Committee has since approved the nomination of Sean Plankey, but the full Senate has yet to vote to confirm him.

“I am happy to see that they are acknowledging that and moving the deadline to a reasonable timeframe so that they can make those policy decisions, give the program clear prioritization and direction, and continue to move towards a CIRCIA final rule that will have positive impacts for the nation and and for our national security,” Boas Hayes told CyberScoop in response to the shifted deadline. “I hope that the acting director of CISA is providing that clear guidance and prioritization to the staff so that they can continue to make progress now and when the CISA director joins the agency and is on-boarded fully and ready to make all those policy decisions.” 

The notice about the delay clears up uncertainty about CISA’s plans, said Caleb Skeath, a partner at the Covington law firm.

“It helps provide some clarity on what the next steps are. We did have a statutory deadline for having these rules published, but there had not been a lot of information coming out of CISA for a pretty long period of time since the comment period,” he said. “And it’s a very broad, wide-ranging rule that’s going to impact a lot of entities across a lot of industry sectors, and is going to require very quick reporting of a lot of information about cybersecurity incidents.”

There are limits to the kinds of changes the Trump administration could make to the proposed regulation without going to Congress for additional leeway, Skeath said. And it’s possible that it could take extra time beyond publication of a final rule in May for the regulation to go into effect, he said.

Updated 9/8/25: This story was updated to include comments from Thompson and Boas Hayes.

The post CISA pushes final cyber incident reporting rule to May 2026 appeared first on CyberScoop.

During a Senate Homeland Security and Governmental Affairs Committee hearing earlier this month in which lawmakers considered if Sean Plankey is fit to become director of the Cybersecurity and Infrastructure Security Agency, ranking member Gary Peters asked the CISA nominee how he would ensure the agency meets all of its statutory requirements, including those in the Cyber Incident Reporting for Critical Infrastructure Act of 2022. 

The problem is, it can’t. To meet the statutory deadline established by Congress, CISA will need to publish a final rule by October. That means CISA has two months left. 

Ever since CIRCIA was signed into law in March 2022, CISA has had every intention of meeting this deadline. I know that because I ran the program while at CISA, from the day it was signed into law through when I left government in January. 

You don’t have to take my word for it. CISA was shouting its commitment to this timeline from the rooftops. You can check the Unified Agenda — the government’s official record of planned regulatory action — from both fall 2024 and spring 2024, both of which state that CISA was targeting an Oct. 4 final rule due date. These commitments are additionally reinforced by the updates provided in the National Cybersecurity Strategy Implementation Plan published by the Office of the National Cyber Director. The formal publications mirror the consistent public statements made by senior officials from CISA and the Department of Homeland Security over multiple years. 

However, since January there has been silence from the agency regarding CIRCIA. Despite receiving hundreds of public comments on the CIRCIA Notice of Proposed Rulemaking, which necessitates an internal policy process to decide how to respond to those comments and adjust the rule, the agency has made no public statements about its progress.  

There is no way for CISA to address hundreds of policy decisions, revise a 450-page piece of regulation, coordinate those revisions with all relevant agencies, and gain the necessary White House approval in two months. This work could have been accomplished had it been prioritized by the current administration on Day One. However, without a CISA director, that work does not appear to have occurred.

In response to Sen. Peters’ question, Plankey responded that he is “going to empower those operators to operate.” I know the operators who worked nights and weekends analyzing the public comments, modernizing existing technology systems, building new tools using CIRCIA funds appropriated by Congress, and expanding the agency’s capacity to support victims ahead of CIRCIA’s launch. I know those people are prepared to present critical policy matters to the next CISA director and to move quickly to draft a final rule. 

Peters also asked Plankey how he would achieve those goals amid budget cuts and the hundreds of personnel leaving the agency. While the CIRCIA program has faced personnel changes, its core staff remain committed to the cause. 

Congress has provided substantial funding for CIRCIA, but without a centralized division or subdivision dedicated to this work within the agency, it’s hard for the program to protect and target these funds exclusively for CIRCIA’s new requirements. Although not fully funded, the program has strong support, and the new director should ensure all resources and people appropriated by Congress for CIRCIA implementation are focused on preparing CISA to serve as the nation’s central cyber incident repository. 

Now that Plankey is poised to become the CISA director, I hope he will prioritize these statutory requirements from Congress and act immediately to advance the CIRCIA final rule for our national security. Plankey said that if confirmed he would like to “get in, provide them the direction, tell them the hill we are going to take, and protect the American public from cybersecurity attacks on critical infrastructure.” 

I hope that in partnership with the CIRCIA team, he does just that.

Lauren Boas Hayes is a cybersecurity and tech trust & safety expert with experience working at CISA, Meta, and Deloitte. She is a founding fellow of the Integrity Institute and an adjunct professor at Georgetown University & John Hopkins SAIS.

The post CISA is facing a tight CIRCIA deadline. Here’s how Sean Plankey can attempt to meet it appeared first on CyberScoop.