The Cybersecurity and Infrastructure Security Agency (CISA) recently published a Federal Register notice announcing a new series of virtual "town hall" meetings intended to gather additional stakeholder input on "refining the scope and burden" of CISA's proposed rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
The town halls are notable because they are not a routine part of rulemaking – and because CISA is explicitly telegraphing that it is reexamining some of the most contested elements of the original April 2024 notice of proposed rulemaking (NPRM).
Background on CIRCIA
CIRCIA directs CISA to establish a mandatory reporting regime for covered entities in critical infrastructure sectors to report covered cyber incidents within 72 hours and ransom payments within 24 hours to CISA. The reporting obligations only become mandatory when CISA's final rule takes effect.
The Rulemaking Process
CIRCIA required CISA to publish an NPRM within 24 months of enactment and a final rule 18 months after the NPRM. By the statutory timeline, CISA was a few days late with the NPRM and is already four months behind on the final rule. According to the latest information from the Office of Information and Regulatory Affairs, the final rule is currently expected in May 2026.
CISA began the rulemaking process shortly after CIRCIA was enacted in 2022, with a request for information and series of "listening sessions." CISA published its NPRM on April 4, 2024. The NPRM was widely criticized as overbroad, including by members of Congress responsible for CIRCIA. It attracted a substantial number of comments, including several prepared by and one on behalf of our firm. Our comments were cited by CISA in its decision to initiate tribal consultations, which were held in December. The recent town hall announcement marks CISA's first public engagement on CIRCIA rulemaking since these consultations.
Upcoming Town Halls
CISA's notice establishes a new public engagement process, consisting of a series of two-hour virtual sessions, some general-purpose and most aimed at specific critical infrastructure sectors. Online registration is required, with registration closing at 5 p.m. ET two business days before each session. Speakers will be limited to three-minute remarks, and sessions will be recorded and transcribed for the rulemaking docket. Written materials may be submitted as part of the public town hall record up to seven calendar days after each session. The docket will also include the names and organizational affiliations of attendees.
CISA is organizing the town halls largely around the critical infrastructure sectors, plus two general sessions.
Sector-based sessions:
- March 9 at noon ET: Chemical; Water and Wastewater; Dams; Energy; Nuclear Reactors, Materials and Waste
- March 12 at noon ET: Commercial Facilities, Critical Manufacturing, Food and Agriculture
- March 17 at 11 a.m. ET: Emergency Services, Government Facilities, Healthcare and Public Health
- March 18 at noon ET: Communications, Transportation Systems, Financial Services
- March 19 at noon ET: Defense Industrial Base, Information Technology
General sessions:
- March 31 at 11 a.m. ET: General Session 1
- April 2 at 11 a.m. ET: General Session 2
The "Topics of Interest" – Where CISA Is Signaling Potential Changes
CISA has identified specific "topics of interest" and requests "specific, actionable improvements" that would clarify or reduce burden while preserving visibility into threats to critical infrastructure. In large part, they reflect that CISA is responding to critiques of the original NPRM as overbroad and vague.
The topics of interest track many of the most-debated aspects of the NPRM, including:
- Whether there should be a size-based criterion for covered entities
- Alternative sector-based criteria
- Accuracy of CISA's examples of reportable incidents and interpretations of statutory language
- Contents of reports
- Harmonization with existing legal requirements
- Enforcement process and mechanics
Most significantly, the approach to defining the scope of covered entities is clearly in question. Under the original NPRM, the "size-based criterion" would sweep in large entities that happen to operate in a critical infrastructure sector; under existing guidance, these sectors were vaguely and expansively defined. The alternative and more targeted approach – "sector-based criteria" – would specify the types of entities covered in each critical infrastructure sector. The town hall topics of interest explicitly question whether a size-based criterion is appropriate at all. CISA also calls for proposed sector-based criteria for the Commercial Facilities, Dams, and Food and Agriculture sectors, as the original NPRM had offered none, instead relying only on the size-based criterion for entities in these sectors.
Overall, CISA's new town halls represent a meaningful procedural signal: After an NPRM that drew sustained criticism over breadth and burden, CISA is now explicitly soliciting options to recalibrate the rule's scope, reduce duplication and refine definitions. This may be the most concrete near-term opportunity to shape how CIRCIA lands in practice – particularly around the scope of covered entities, report contents and harmonization. Our team is closely monitoring these developments and is ready to assist clients in assessing coverage, preparing town hall remarks or written submissions, and integrating CIRCIA compliance into existing incident response processes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
