How Cybersecurity Incident Reporting Could Change

February 23, 2026

The Cybersecurity and Infrastructure Security Agency (CISA) is hosting a series of virtual townhalls about a proposed rule that would change how essential organizations report cyber incidents to the government.

The meetings, which are set for March 9, are designed to gather input about the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

“Implementing CIRCIA will significantly enhance our ability to assist victims of cyber incidents, identify emerging threats, and rapidly share actionable information to protect others,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen in a statement.

Here’s what you need to know:

• Background:  The rule would require critical infrastructure organizations like hospitals to report cyber incidents to the government with 72 hours and ransom payments within 24 hours.
• AHA Take:  The American Hospital Association (AHA) has objected to the proposed rule, saying it is “redundant to what is required by other federal agencies, adding unnecessary burden to what the hospital must do at the same time that it is working to ensure patients are getting the care they need despite the crippling of vital electronic systems.” 
• Caveat:  The meetings times may change due to the lapse in Department of Homeland Security appropriations, officials noted.
• Registration:  Interested participants in the health care sector town hall can register online.
• Quotable:  “CISA is committed to delivering a framework that appropriately balances its impact on improving our nation’s cybersecurity posture with avoiding unnecessary burden to entities in critical infrastructure sectors.” Andersen said.

Additional information is available online.