Individuals and entities in CIRCIA-covered critical infrastructure sectors must report covered cyber incidents to CISA within 72 hours of reasonably believing a “substantial cyber incident” has occurred, and report ransomware payments within 24 hours of making the payment.

Core timing rule under CIRCIA

  • The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), enacted in 2022, requires covered critical infrastructure entities to submit a report to CISA no later than 72 hours after the entity reasonably believes a covered (substantial) cyber incident has occurred.
  • If the covered entity makes a ransom payment , a separate report must be submitted to CISA within 24 hours of making that payment , even if a 72‑hour incident report has already been or will be filed.

Status and practical context (2024–2025)

  • CIRCIA sets these 72‑hour and 24‑hour deadlines in the statute, but CISA is finalizing detailed implementing rules (definitions, formats, portals), with proposed rules published in April 2024 and the final rule expected to take effect after the rulemaking is complete.
  • Analyses of the proposed rule emphasize that, once effective, all covered entities in the 16 critical infrastructure sectors that fall within CIRCIA’s scope will need internal playbooks to detect when they “reasonably believe” an incident is covered and to trigger reporting workflows quickly enough to meet these 72‑ and 24‑hour clocks.

Quick reference table

[2][3][7] [9][1][4][7] [1][3][9] [7][9][1] [4][9][1][7] [3][9][1]
Event type Who is covered Deadline to report to CISA Trigger point
Covered / substantial cyber incident Entities in one of the 16 critical infrastructure sectors that meet CIRCIA’s coverage criteria.Within 72 hours.When the entity reasonably believes a covered / substantial incident has occurred.
Ransomware payment Same covered critical infrastructure entities when they make a ransom payment related to an incident.Within 24 hours of the payment.The time the ransom is paid, regardless of whether a prior incident report was filed.
**TL;DR:** Under CIRCIA, if you are in a covered critical infrastructure sector, plan to report qualifying cyber incidents to CISA within **72 hours of reasonable belief of a substantial incident** and **24 hours of any ransom payment** once the final rules are in effect.

Information gathered from public forums or data available on the internet and portrayed here.