CISA Issues Revised Virtual Town Hall Schedule for Input on Proposed Cyber Incident Reporting

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 was enacted to give the federal government real‑time insight into cyber threats targeting the nation’s most essential services. Under the law, the Cybersecurity and Infrastructure Security Agency (CISA) is tasked with drafting regulations that standardize how operators of power grids, water systems, hospitals, and other critical entities disclose breaches. By aggregating incident data, policymakers hope to identify emerging attack patterns, allocate resources more efficiently, and ultimately deter adversaries seeking to exploit systemic vulnerabilities.

CISA’s latest draft, unveiled in March 2024, tightens reporting deadlines to 72 hours for any qualifying cyber incident and 24 hours for ransom payments. The agency scheduled a series of virtual town‑hall meetings to solicit feedback, but a partial shutdown of the Department of Homeland Security forced a postponement from March‑April to a June 15 kickoff. The American Hospital Association has warned that the new requirements overlap with existing reporting obligations from agencies such as the Department of Health and Human Services, potentially stretching already‑strained IT teams during active incidents.

If finalized, the rule could become the de‑facto baseline for cyber‑incident transparency across the United States, compelling thousands of private‑sector operators to adopt uniform reporting processes. While increased visibility may improve national threat intelligence, firms must weigh the operational costs of rapid disclosure, especially in sectors where downtime directly endangers lives. Stakeholder input gathered during the town‑halls will likely shape exemptions, reporting thresholds, and data‑handling safeguards, setting a precedent that could influence future legislation on ransomware payments and supply‑chain security.