geographic points across a map of the United States

Understanding CIRCIA: Critical Infrastructure Cybersecurity

November 15, 2023

CIRCIA and Its Significance

The Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA) is designed to enhance critical infrastructure security in the United States. Enacted in March 2022, the act is a direct response to the escalating menace of cyberattacks targeting critical infrastructure, exemplified by the ransomware attack on the Colonial Pipeline in May 2021. The act requires all critical infrastructure entities to report any cybersecurity incidents and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA) within specific timeframes.

CIRCIA Requirements

The CIRCIA compliance requirements are straightforward: all critical infrastructure entities must report any cybersecurity incidents to the CISA within 72 hours of when the entity reasonably believes the incident occurred. Ransomware payments must be reported within 24 hours of payment being made.

In response to CIRCIA, the CISA and FBI established two entities to combat cybercrime: the Joint Ransomware Task Force (JRTF) and the Ransomware Vulnerability Warning Pilot (RVWP) program. These organizations are tasked with coordinating a nationwide campaign against cyberattacks, identifying the most common vulnerabilities used in ransomware attacks, and identifying systems that contain these vulnerabilities.

CIRCIA Critical Infrastructure Sectors

CIRCIA was introduced to ensure that critical infrastructure entities report any cybersecurity incidents they encounter, helping the government render assistance and take necessary steps to prevent similar incidents from occurring in the future. CIRCIA applies to organizations that own or operate critical infrastructure in the following sectors:

  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors, Materials and Waste
  • Transportation Systems
  • Water and Wastewater Systems

When Does CIRCIA Take Effect?

CIRCIA was enacted in March 2022. However, per the CIRCIA timeline, CISA must publish proposed rules by March 2024, with final rules published no later than September 2025. The final rules will provide instructions for reporting cyber incidents and ransom payments and identify cooperation procedures between CISA and impacted organizations. Until final rules are defined, critical infrastructure entities are not legally required to report incidents, though proactive incident reporting is strongly encouraged.

What Can You Do To Prepare?

The bottom line is having a strong cybersecurity posture is of the utmost importance. Cyberattacks are becoming increasingly sophisticated and frequent, and any organization can fall victim to them. A robust cybersecurity posture is essential to protect sensitive information, prevent financial losses, and maintain the trust of customers and stakeholders. Organizations can significantly reduce the risk of cyberattacks and their potential consequences by implementing strong security measures, such as strong passwords, multi-factor authentication, and regular security training. Even after the final rules are published, it is better to prevent attacks altogether or limit the scope of their damage.

All organizations, especially those in critical infrastructure sectors, need an incident response plan. IBM’s 2022 Cost of a Data Breach Report found that organizations with an incident response team and tested incident response plan saw 58% cost savings in the event of a breach1. This process should be well-defined, and all employees should be aware of their roles and responsibilities in the event of a cybersecurity incident. The incident response plan should also include a clear chain of command and a communication plan to ensure that all stakeholders and relevant government entities are informed promptly.

Here is a previous blog post about the importance of incident response planning.

Talk to a Cybersecurity Expert

According to Fortinet’s 2023 Global Ransomware Report, despite 78% of organizations believing they are “very” or “extremely” prepared to mitigate an attack, 50% still fell victim to ransomware2. Our team can help you baseline your security posture and identify opportunities for improvement. Start a conversation with a Dewpoint cybersecurity expert today and reduce your risk against the evolving world of cybercrime.

Want instant feedback on your security posture? Take our quiz!

Dewpoint, an award-winning, Michigan-based technology firm, has been helping businesses prepare for, stay ahead of, and respond to IT challenges for over 26 years. From IT security to infrastructure management to automation, cloud migration, and beyond, Dewpoint has long been a trusted technology resource for businesses.



2 Fortinet

Contact Us