CIRCIA's March 2026 Reopening: What Critical Infrastructure Leaders Need to Tell Their Boards About the 72-Hour Rule

Your board does not have a "cyber incident" problem. It has a decision-speed problem. When federal regulators require a formal report to CISA within 72 hours of a suspected significant cyber attack, and a separate report within 24 hours of any ransomware payment, the question stops being "do we have good security?" and becomes "who makes the call, when, with what authority, and how do we document it?" Most boards cannot answer that question today. If yours cannot either, you have a governance gap that now carries personal liability.

CIRCIA requires CISA to develop and implement regulations mandating that covered entities report covered cyber incidents and ransomware payments to the agency. Those reports will allow CISA to rapidly deploy resources and assist victims, analyze incoming reporting across sectors to spot trends, and share information with network defenders to warn other potential victims.

That purpose is sound. But the compliance burden on your organization is substantial, and the governance demands fall squarely on the board, not the IT department.

CISA announced in a Federal Register notice on February 13, 2026 that it will host a series of virtual town hall meetings between March 9 and April 2, 2026 to obtain additional feedback on the CIRCIA rulemaking.

The continued delays associated with federal appropriations lapses will likely result in a delay to the issuance of the final rule. Any changes or updates to meeting dates will be posted on www.cisa.gov/circia.

Read that carefully. Bureaucratic delays do not mean the requirements are softening. They mean the clock to build your internal capabilities is still running, and organizations that treat any pause in rulemaking as permission to pause their preparation will be the ones scrambling when the final rule drops.

The Rule You Need to Understand Now

The statute requires that CISA's final rule must trigger a report within 72 hours from the time an entity reasonably believes a "substantial cyber incident" has occurred, or within 24 hours of making a ransom payment.

Two timelines. Both unforgiving.

CIRCIA's clock starts the moment your team suspects something significant happened, not when forensics wrap up or when leadership convenes.

That single sentence should end every board meeting discussion about whether this regulation is "an IT issue." It is not. The moment of suspicion triggers the clock. Your legal team needs to be in the loop before the clock starts, not after. Your board needs pre-established authority chains before the incident occurs, not during it.

Covered entities will be required to report substantial cyber incidents within 72 hours of a reasonable belief that such an incident has occurred. A "substantial cyber incident" is defined in the proposed rule as causing substantial loss of confidentiality, integrity, or availability; serious impact on safety and resiliency of operational systems and processes; disruption of ability to engage in business or industrial operations or deliver goods or services; or unauthorized access facilitated through or caused by a compromise of a provider or third party or a supply chain compromise.

That definition captures a wide range of incidents your organization has probably treated as operational problems to be solved quietly. Under CIRCIA, they become federal reporting obligations.

Under CISA's proposal, the rule would apply to any entity operating in one of 16 critical infrastructure sectors that exceeds a Small Business Administration small business size standard. CISA has estimated that the rule would apply to more than 300,000 entities.

If your organization operates in energy, financial services, healthcare, transportation, information technology, communications, or any of the other sectors defined under Presidential Policy Directive 21, you should be operating under the assumption that you are a covered entity. Waiting for the final rule to make that determination is a governance failure, not a prudent strategy.

The Threat Environment Driving Congressional Urgency

The regulatory momentum behind CIRCIA is not happening in a vacuum. The threat environment justifies it entirely.

KELA recorded 4,701 ransomware incidents globally between January and September 2025, up from 3,219 during the same period in 2024. Of these, 2,332 attacks, or 50%, targeted critical infrastructure sectors, marking a 34% year-over-year increase in attacks on essential industries. Half of all ransomware attacks in 2025 struck critical sectors, from manufacturing and healthcare to finance and transportation.

Ransomware accounted for around 60% of the value of large cyber insurance claims (greater than €1 million) seen by Allianz Commercial during the first six months of 2025.

That figure is not an abstraction for your board. It maps directly to your D&O exposure and your cyber insurance renewal conversation.

Congress is moving in parallel with CISA.

On February 16, 2026, a House subcommittee voted 12-0 to report a cybersecurity measure favorably toward the full House committee, demonstrating bipartisan interest in elevating cybersecurity requirements for financial services sectors. The bill would mandate comprehensive information security programs and documented incident-response procedures for covered entities, aligning regulatory expectations with broader federal cyber risk frameworks.

The vote count matters: 12-0 is not partisan noise. It is a signal about which direction regulation is heading for financial sector firms and, by precedent, for adjacent industries.

The regulatory environment has shifted from voluntary best practices to mandatory timelines with enforcement teeth. A board that waits for the final rule before building its incident response governance structure will spend the first 72 hours of an incident determining who has authority, not exercising it.

Where Boards Are Falling Short: A Governance Gap Analysis

52% of organizations say directors or executives have faced fines, job loss, or other serious professional consequences following a cyberattack. Insufficient cyber literacy at the board level is not just a governance weakness; it is a systemic issue.

CIRCIA adds an additional enforcement layer on top of the SEC's existing cybersecurity disclosure rules, which already require public companies to report material incidents on Form 8-K and describe board oversight in annual filings.

The fallout from the SEC's enforcement action against SolarWinds and shareholder litigation over the company's alleged failure to manage cybersecurity risks highlight the need for thoughtful board governance in this area. Boards should review how oversight responsibility for cybersecurity risk is assigned and coordinated within the board and with management to facilitate clear lines of communication in the event of a cybersecurity incident.

The following table maps where most organizations stand against where CIRCIA requires them to be, measured against NIST CSF 2.0 Govern and Respond functions:

The gap between columns two and three is not a technology gap. It is a governance gap. Technology teams cannot close it alone.

Three Emerging Governance Obligations Boards Must Own

The "Reasonable Belief" Problem

CISA acknowledges that the point at which a covered entity should have "reasonably believed" a covered cyber incident occurred is subjective and will depend on the specific factual circumstances. Accordingly, the agency is not proposing a definition of the term "reasonably believes."

That ambiguity places the burden squarely on organizational leadership. Your board must define, in advance, what constitutes a triggering event for escalation. Without that definition in writing, your organization's first substantive debate about CIRCIA will occur under the pressure of an active incident, with every minute counting against your 72-hour deadline.

Overlapping Disclosure Obligations

Organizations must start coordinating plans to comply with reporting requirements and align information reported pursuant to CIRCIA with information reported elsewhere, for example in SEC filings and other public disclosures.

A single significant incident now potentially triggers CIRCIA reporting to CISA, SEC Form 8-K materiality disclosure, sector-specific reporting obligations (HIPAA, NERC CIP, PCI DSS), and insurer notification requirements. Boards that have not mapped these obligations to a single integrated workflow will file contradictory reports under pressure. That outcome is worse than a late filing.

The Insurance Coverage Cliff

Cyber liability risks for directors and officers have risen sharply in recent years with higher expectations for board-level oversight of cybersecurity and a trend toward more litigation and regulatory actions. Exposures for D&Os typically arise from their duty to oversee the organization's cybersecurity posture. Claims against directors have been triggered by a wide range of events, including data breaches, ransomware attacks, and even technical glitches.

Cyber insurers are beginning to require documented evidence of CIRCIA preparedness as a condition of coverage. Organizations that cannot demonstrate board-approved playbooks and tested escalation paths risk policy exclusions at precisely the moment they need coverage most.

Your Board's CIRCIA Readiness Checklist

Use this before your next board meeting. Every "No" answer is an open governance risk:

[ ] Has legal counsel completed a formal covered entity determination under the CIRCIA NPRM criteria?

[ ] Does your incident response plan include an explicit 72-hour CISA reporting workflow, approved at the board level?

[ ] Is there a named decision-maker with authority to trigger the CIRCIA reporting obligation, without requiring board convening?

[ ] Does your ransomware payment protocol include a 24-hour CISA reporting requirement, with pre-authorized escalation to legal and executive leadership?

[ ] Have you conducted a tabletop exercise that tests the 72-hour reporting timeline end-to-end, including the CISA reporting step?

[ ] Has your legal team mapped CIRCIA obligations against your SEC 8-K disclosure timeline and your sector-specific reporting requirements?

[ ] Has your cyber insurer confirmed that your current policy does not require CIRCIA-readiness documentation as a coverage condition?

[ ] Does your board receive structured cyber risk updates at least quarterly, covering incident response readiness in financial terms?

A well-defined incident escalation and disclosure process is a cornerstone of effective board oversight. This process should clearly delineate thresholds for escalation to the board and relevant committees, and outline roles and responsibilities for the board and management during a cyber incident.

That documentation does not write itself, and it cannot be written during an incident.

Framework Alignment: What "Prepared" Actually Looks Like

Compliance with CIRCIA's timeline requirements maps directly to capability maturity under established frameworks. NIST CSF 2.0 introduced the Govern function specifically to elevate cybersecurity risk management to the organizational strategy level, which is precisely where CIRCIA's demands land. ISO 27001:2022 Annex A control 5.24 and 5.26 address incident management planning and response to incidents, both of which require pre-defined procedures and authorities. CIS Controls v8 Control 17 mandates an incident response management program with documented roles, escalation paths, and communication plans.

CIRCIA does not introduce foreign concepts. It makes existing framework requirements legally enforceable with federal penalties for non-compliance. Organizations that have maintained mature incident response programs aligned to these frameworks will have significantly less work to do. Those operating with legacy, untested playbooks will face both operational and legal exposure simultaneously.

How I Help

Boards need more than a briefing on CIRCIA. They need a structured governance framework that protects directors, satisfies regulators, and positions the organization to act decisively under the pressure of a live incident. Through my Board Advisory service, I build exactly that: a board-ready cyber risk presentation with your exposure quantified in financial terms, a CIRCIA readiness assessment mapped to your specific sector and organizational profile, and a governance framework your directors can own and reference in every regulatory interaction. I translate incident response obligations into the board-level language of fiduciary duty, financial exposure, and documented oversight, giving your directors the confidence to demonstrate active governance before an examiner or litigant asks the question.

For organizations that need a seasoned security leader embedded in the process, my vCISO service provides fractional CISO leadership to build and own the incident response program. For teams working through sector-specific reporting harmonization and control framework alignment, my Compliance Advisory service maps CIRCIA obligations against your existing regulatory environment. For AI-related cyber risk governance, including the overlapping governance demands as AI systems become classified as critical assets, my AI Governance service addresses the emerging intersection of AI deployment and cyber incident reporting obligations. For organizations that need to validate the technical architecture supporting their detection-to-reporting pipeline, my Security Architecture service stress-tests the controls that CIRCIA's timeline depends on.

The most common board question I receive after a CIRCIA briefing is not "what does this cost?" It is "can we be ready before the final rule takes effect?" The answer is yes, but only for boards willing to act now rather than wait for enforcement to create urgency. If your next board meeting does not include a CIRCIA readiness discussion, consider forwarding this post to your general counsel and risk committee chair today.

Schedule a discovery call to discuss where your organization stands and what a board-ready CIRCIA governance program looks like for your sector.