CISA: Nearly 311,000 ‘Small Entities’ Covered By Proposed Cyberattack Reporting Rules

The rules are aimed at improving transparency and information sharing about major cyber incidents affecting U.S. critical infrastructure.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed Wednesday that it believes nearly 311,000 “small entities” would be subject to proposed rules requiring reporting of major cyberattacks.

The rules have been in development for the past two years since the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) became law. The main facets of the rules include a requirement that covered entities report major cyber incidents to CISA within 72 hours and report ransom payments within 24 hours.

[Related: CISA Director Jen Easterly: Software Vendors ‘Should Own The Security Outcomes For Their Customers’]

The rules are aimed at improving transparency and information sharing about major cyber incidents affecting U.S. critical infrastructure. The regulation is not likely to take effect until late 2025 at the earliest, and possibly not until 2026, CISA said.

CISA believes there are a total of 316,244 “covered entities” in the U.S., and the vast majority — 310,855 of them — “would be considered small entities,” the agency said in the Notice of Proposed Rulemaking (NPRM) document posted Wednesday in the Federal Register.

The agency said it estimates organizations will file 210,525 CIRCIA reports during the “period of analysis,” which is stated to run through 2033.

Costs for covered entities will include “becoming familiar with the proposed rule, followed by the recurring data and records preservation requirements, and then reporting requirements,” CISA said.

“CISA is cognizant of the fact that reporting does not come without costs, however, so CISA is not seeking simply to capture the maximum number of reports possible under the statutory language (i.e., by scoping both the applicability of the rule and covered cyber incidents as broadly as legally permissible),” the agency said. “CISA’s goal is to identify and achieve the proper balance among the number of reports being submitted, the benefits resulting from their submission, and the costs to both the reporting entities and the government of the submission, analysis, and storage of those reports.”

In a news release, CISA Director Jen Easterly (pictured) called the CIRCIA rules a “game changer for the whole cybersecurity community.”

“It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats,” Easterly said.

While CISA has already been collecting public input since September 2022, the release of the NPRM document will be followed by an “open comment period” prior to the introduction of the final version of the rule.

CISA said it “expects the Final Rule to publish in late 2025,” but “in order to comply with

Administrative Procedure Act and Congressional Review Act requirements, CISA would be required to delay the effective date of the rule for a total of 60 days, which would likely push the effective date to 2026.”

“Due to this required delay and uncertainty surrounding the publication date, covered entities will likely not begin submitting CIRCIA reports until 2026,” the agency said.