The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is a federal law signed by President Biden on March 15, 2022, as part of the Consolidated Appropriations Act. The final rule is not yet in effect, but the core obligations it will impose are clear, the timeline is advancing, and organizations that wait until enforcement deadlines to begin preparing will find themselves behind, both operationally and regulatory.

For utilities and other critical infrastructure operators, the most consequential aspect of CIRCIA is not the 72-hour reporting clock. It is the supply chain provision: a breach at a third-party vendor that results in unauthorized access to a covered entity's systems is a reportable incident under CIRCIA, even if the covered entity's own infrastructure was never directly compromised.

What does CIRCIA require for supply chain incidents?

Under CIRCIA, a covered entity's own infrastructure need not be directly targeted for an incident to be reportable. If a vendor, MSP, or cloud provider is breached and that breach gives an attacker unauthorized access to your environment, CIRCIA treats it as a covered incident. What matters is that the access happened, not how the attacker got in.

This creates a two-part preparedness requirement. First, covered entities must be able to detect a supply chain compromise that results in unauthorized access to their systems. Second, they must be able to report the details of that incident to CISA within 72 hours of forming a reasonable belief that it occurred.

Both requirements depend on capabilities that most current TPRM programs lack: continuous monitoring of vendor access and behavior, real-time visibility into supply chain threats, and internal workflows to escalate and report under compressed timelines.

Who does CIRCIA apply to?

CIRCIA applies to covered entities across all 16 critical infrastructure sectors, including energy, healthcare, financial services, water, and transportation, and requires reporting of substantial cyber incidents within 72 hours and of ransomware payments within 24 hours.

CISA estimates that approximately 300,000 entities will be subject to CIRCIA's reporting requirements once the final rule takes effect. For utilities, this includes electric, water, and natural gas operators, as well as the contractors and service providers that support them.

Importantly, many organizations that have never considered themselves to be in the critical infrastructure sector will find themselves squarely within scope under CIRCIA's broad sector definitions.

Non-compliance may carry significant financial consequences. CISA is authorized to compel information from non-reporting entities through subpoena, and penalties for non-compliance can escalate to $500,000 per day. Organizations that wait for enforcement to begin preparing will face simultaneous operational and financial exposure.

What is the current timeline for CIRCIA enforcement?

CISA originally targeted October 2025 as the final rule. After receiving extensive public comments on the proposed rulemaking, the agency pushed its deadline to May 2026. This deadline is likely to be shifted further, after previously scheduled townhalls were canceled due to the government shutdown earlier this year. On April 24th, CISA announced it remains committed to giving stakeholders an opportunity to comment through town halls before the rule is finalized. Given that 16 townhalls need to be rescheduled, held, and their feedback taken into account, the May 2026 release of the final rule is effectively impossible. However, the organization should be prepared to comment on the rule in the townhalls and be ready for the final rule later this year. The extension signals that the final rules may be more refined and strictly enforced, not less rigorous than the proposed version.

Regardless of the precise publication date, the core reporting obligations, 72-hour incident reporting and 24-hour ransomware payment reporting, will not change. Organizations that treat the remaining runway as preparation time will be in a fundamentally better position than those waiting for the ink to dry.

What preparation steps should you take now?

  • You cannot report a supply chain incident you cannot detect. Organizations need ongoing visibility into vendor access, behavior, and security posture, not annual questionnaires. Fortress applies always-on monitoring across supplier ecosystems to surface meaningful changes before they become reportable incidents.
  • CIRCIA's supply chain provision extends to vendors, managed service providers, and cloud platforms, not just direct suppliers. Organizations need visibility into the full depth of their supply chain exposure to understand where CIRCIA-reportable incidents could originate.
  • The 72-hour clock starts when a covered entity forms a reasonable belief that a substantial incident has occurred. That determination requires defined escalation paths, clear ownership, and pre-built reporting workflows. Organizations without these in place before an incident will struggle to meet the deadline.
  • CIRCIA requires organizations to maintain incident-related records for a mandated retention period, with secure storage and access controls. Two years of incident-related records represent a significant operational requirement that needs infrastructure investment now, not after an event.
  • Vendor contracts must also be reviewed and updated before an incident occurs. CIRCIA reporting requires that covered entities be able to share incident details with CISA within the reporting window. If existing vendor agreements include confidentiality clauses that restrict information sharing or do not require vendors to notify you of breaches in time to meet the 72-hour clock, those agreements will prevent CIRCIA compliance regardless of how strong your monitoring capabilities are. Ensuring vendor contracts include breach notification timelines, nth party visibility requirements, and the right to share incident information with federal regulators is a TPRM requirement that must be addressed before enforcement begins.

How does Fortress support CIRCIA readiness?

Fortress Information Security works at the intersection of federal mandates and critical infrastructure operations. Our approach is built on continuous monitoring, supply chain intelligence, and operational context, addressing the exact capabilities that CIRCIA's supply chain provisions require.

Fortress' experience supporting federal agencies and regulated critical infrastructure operators means its TPRM programs are built to meet regulatory expectations under NIST SP 800-161r1, Executive Order 14028, and the emerging CIRCIA framework, not retrofitted for compliance after the fact.

The supply chain reporting requirements will apply broadly with the new CIRCIA requirements. The organizations best positioned for enforcement will be those that built continuous, intelligence-led TPRM programs before the deadline, not because a regulator required it, but because their operational environment demanded it. Fortress helps critical infrastructure operators get there.

Frequently Asked Questions About CIRCIA and Supply Chain Reporting

What are the penalties for failing to report under CIRCIA?

CISA has the authority to compel information from covered entities that fail to report through a request for information and, if necessary, a subpoena. Penalties for non-compliance can escalate to $500,000 per day. Information obtained through a subpoena may also be referred to the Department of Justice for civil enforcement action. Organizations that fail to report incidents they were aware of face both financial penalties and the reputational consequences of a federal enforcement action.

Does CIRCIA apply to my organization if I am not directly in a critical infrastructure sector?

Scope under CIRCIA is broader than most organizations expect. An entity qualifies as a covered entity either by operating in one of the 16 designated critical infrastructure sectors or by exceeding the Small Business Administration's small business thresholds. Critically, a vendor, managed service provider, or contractor that supports a covered entity's critical infrastructure operations may itself be treated as a covered entity. Many organizations that do not consider themselves critical infrastructure will find they are embedded in critical infrastructure supply chains in ways that bring them within scope. The safest approach is to assess scope proactively using CISA's sector definitions rather than assuming exemption.

What vendor contract requirements does CIRCIA create?

CIRCIA does not prescribe specific contract language, but its reporting requirements create practical obligations that flow directly into vendor agreements. To meet the 72-hour reporting deadline, covered entities need vendors to notify them of breaches promptly, share incident details that can be passed to CISA without violating confidentiality clauses, provide visibility into nth tier vendors and their own supply chain dependencies, and cooperate with forensic investigation and evidence preservation requirements. Vendor agreements that predate CIRCIA are unlikely to include these provisions. Reviewing and renegotiating contracts with high-risk vendors before the final rule takes effect is a preparation step that sits squarely within the TPRM program, and one that Fortress helps critical infrastructure operators execute.