On May 22, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), a component of the U.S. Department of Homeland Security (DHS), officially released details concerning proposed rules for mandatory cyber incident reporting. This move is designed to strengthen the nation’s ability to prepare for and respond to major cyberattacks across critical infrastructure sectors.
The new rules implement requirements set in place by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which mandates that certain critical infrastructure organizations report significant cyber incidents and ransomware payments to CISA within a specified timeframe. The goal of the regulation is to improve coordination between government and private sector entities during cybersecurity events.
Under the newly proposed rule, covered entities would be required to report covered cyber incidents within 72 hours of initial detection and report ransom payments within 24 hours. These covered entities include companies operating in key sectors such as energy, transportation, healthcare, financial services, and water systems. The proposed regulation outlines what constitutes a significant cyber incident, including unauthorized access, data breaches affecting key operations, and vulnerabilities that pose substantial risks.
To ensure clarity, the rule also proposes definitions for terms such as ‘covered entity’ and ‘covered cyber incident’ and includes provisions regarding how information is to be submitted and protected. Importantly, CISA has emphasized that the reporting process is intended not to penalize victims of cyberattacks, but to enable the federal government to analyze threats, identify trends, and issue timely warnings or mitigation strategies to other potential targets.
CISA is currently soliciting public feedback on the proposed rules, with the comment period open for 60 days following its publication in the Federal Register. The agency anticipates receiving input from private industry stakeholders, cybersecurity experts, and the public, and it plans to use that information to refine the final rule.
Jen Easterly, Director of CISA, emphasized that the reporting mandates are meant to establish a comprehensive and collaborative national cyber defense framework. ‘Timely reporting is critical to our ability to rapidly deploy resources and support to victims, share threat information, and take coordinated action to guard against broader national security risks,’ Easterly said in a statement.
Once finalized, the rule is expected to significantly enhance federal situational awareness of cyber threats, improve response times, and facilitate collective defense strategies against increasingly sophisticated cyberattacks. The rule is part of a broader federal initiative to harden national cyber defenses in light of recent high-profile ransomware attacks and state-sponsored cyber intrusions.
Experts suggest that while the regulation sets a precedent for stronger collaboration between the private and public sectors, affected organizations should begin preparing internal protocols to ensure compliance once the final rule takes effect. This includes developing capabilities to detect qualifying incidents quickly, assess legal and operational implications, and establish lines of communication with CISA.
The release of these proposed rules marks a major milestone in the U.S. government’s ongoing effort to secure critical infrastructure and foster a more resilient digital ecosystem in the face of evolving cyber threats.
Source: https:// – Courtesy of the original publisher.
