CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act)
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Pub.L. 117‑103, Division Y) requires covered critical infrastructure entities to report covered cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery and to report ransom payments within 24 hours. The act establishes reporting requirements, defines covered entities, and mandates the Secretary of Homeland Security to issue guidance and maintain a public database of reported incidents.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (8)
CIRCIA: Cyber Incident Reporting Council (Sec. 2246)
| Code | Title |
|---|---|
| CIRCIA-2246 | Cyber Incident Reporting Council Harmonization |
CIRCIA: Cyber Incident Review (Sec. 2241)
| Code | Title |
|---|---|
| CIRCIA-2241 | Cyber Incident Review and Threat Indicator Sharing |
CIRCIA: Definitions and Scope (Sec. 2240)
| Code | Title |
|---|---|
| CIRCIA-2240 | Definitions: Covered Entity, Covered Cyber Incident, Ransom Payment |
CIRCIA: Enforcement and Noncompliance (Sec. 2244)
| Code | Title |
|---|---|
| CIRCIA-2244b | Response to a CISA Request for Information |
| CIRCIA-2244c | Subpoena and Civil Enforcement for Noncompliance |
| CIRCIA-2244d | Referral to the Attorney General |
| CIRCIA-2244f | Exclusion of State, Local, Tribal and Territorial Governments |
CIRCIA: Federal Sharing of Reports (Sec. 2247)
| Code | Title |
|---|---|
| CIRCIA-2247 | Federal Sharing of Incident Reports |
CIRCIA: Information Protections (Sec. 2245)
| Code | Title |
|---|---|
| CIRCIA-2245a | Authorized Use, Retention and Digital Security of Reports |
| CIRCIA-2245a5 | Prohibition on Use of Reported Information in Regulatory Actions |
| CIRCIA-2245b | Protections for Reporting Entities (FOIA, Privilege, Proprietary) |
| CIRCIA-2245c | Liability Protections and Evidentiary Restrictions |
CIRCIA: Required Reporting (Sec. 2242)
| Code | Title |
|---|---|
| CIRCIA-2242a1 | 72-Hour Covered Cyber Incident Report |
| CIRCIA-2242a2 | 24-Hour Ransom Payment Report |
| CIRCIA-2242a3 | Supplemental Reports |
| CIRCIA-2242a4 | Preservation of Data Relevant to the Incident |
| CIRCIA-2242a5 | Reporting Exceptions: Substantially Similar Reporting and DNS |
| CIRCIA-2242c4 | Required Contents of a Covered Cyber Incident Report |
| CIRCIA-2242c5 | Required Contents of a Ransom Payment Report |
| CIRCIA-2242d | Third-Party Report Submission |
| CIRCIA-2242e | Awareness of Reporting Obligations |
CIRCIA: Voluntary Reporting (Sec. 2243)
| Code | Title |
|---|---|
| CIRCIA-2243 | Voluntary Reporting of Other Cyber Incidents |
Your Compliance Coverage
If you comply with CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act), you already cover:
Maps to 3 other frameworks
Frequently Asked Questions
What is CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act)?
CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) is a compliance framework from United States with 8 domains and 22 controls. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Pub.L. 117‑103, Division Y) requires covered critical infrastructure entities to report covered cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery and to report ransom payments within 24 hours. The act establishes reporting requirements, defines covered entities, and mandates the Secretary of Homeland Security to issue guidance and maintain a public database of reported incidents. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) have?
CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) has 22 controls organised across 8 domains. The largest domains are CIRCIA: Required Reporting (Sec. 2242) (9 controls), CIRCIA: Enforcement and Noncompliance (Sec. 2244) (4 controls), CIRCIA: Information Protections (Sec. 2245) (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) map to?
CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) maps to 3 other compliance frameworks. The top mapping partners are NIST Cybersecurity Framework 2.0 (36% coverage), NIST SP 800-53 Rev 5 (32% coverage), ISO 27001:2022 (27% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) compliance?
Start your CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 22 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required