- CIRCIA reporting requirements are nearing implementation
- More federal cyber rules are expected this fall
- The 2026 Homeland Security Summit will explore AI, cyber defense and more
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency expects to issue the final rule implementing the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, in September, Federal News Network reported Monday.

As CISA advances major cybersecurity regulations affecting critical infrastructure and government-industry collaboration, homeland security leaders continue to examine the evolving policy and operational landscape. Join the 2026 Homeland Security Summit, where experts will discuss artificial intelligence, cyber defense and operational capabilities across major DHS agencies. Sign up now for the Nov. 12 event to hear firsthand perspectives on the challenges and opportunities shaping the homeland security mission.
According to the latest Unified Agenda of Federal Regulatory and Deregulatory Actions, the final rule will require covered critical infrastructure organizations to report covered cyber incidents to CISA within 72 hours and ransomware payments within 24 hours once the regulation takes effect. The reporting requirements would apply across the country’s 16 critical infrastructure sectors.
What Is the Status of the CIRCIA Rule?
According to Nextgov/FCW, Congress passed the legislation underlying CIRCIA in 2022, but the final rule has been delayed beyond its statutory timeline. CISA published the proposed rule in April 2024 and missed the statutory October 2025 deadline for issuing the final regulation.
Nextgov/FCW also reported that CISA held additional stakeholder town halls in June to discuss the proposed requirements after the now-resolved DHS shutdown in the Spring delayed scheduling of the meetings.
What Other Cybersecurity Rules Are Expected This Fall?
According to FNN, the Unified Agenda also projects that a federal contracting rule establishing standardized cybersecurity requirements for unclassified federal information systems will be finalized in September. According to the regulatory preview, the rule is intended to strengthen the protection of federal information systems by standardizing common cybersecurity contractual requirements across agencies.
Another federal contracting rule covering cyberthreat and incident reporting and information-sharing is also projected for finalization in September. Both regulations have been anticipated since the proposed versions were issued in 2023.
How Do These Actions Align With Broader Cybersecurity Efforts?
The anticipated CIRCIA rule and other cybersecurity regulations come as the Trump administration advances broader efforts to strengthen federal cyber policy and critical infrastructure security. In February, administration officials announced several forthcoming cybersecurity initiatives, including a new national cyber strategy, an update on federal incident reporting rules and the development of an artificial intelligence security collaboration framework.
Separately, CISA recently established ANCHOR-CI, or the Alliance of National Councils for Homeland Operational Resilience-Critical Infrastructure, to expand information-sharing and strengthen government-industry collaboration to improve the security and resilience of U.S. critical infrastructure.






