CIRCIA: What SMBs Need to Know About 72-Hour Incident Reporting

A new federal rule is about to change how businesses handle cyberattacks. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires covered organizations to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. CISA estimates that over 316,000 organizations will be subject to the rule once it takes effect.

If your business operates in healthcare, IT services, financial services, energy, or any of the 16 critical infrastructure sectors, this is a compliance obligation you need to plan for now. The final rule is expected in 2026, and the reporting requirements go live shortly after publication.

What CIRCIA Actually Requires

CIRCIA creates two mandatory reporting timelines. First, covered entities must report any “covered cyber incident” to CISA within 72 hours of reasonably believing the incident occurred. Second, any ransomware payment must be reported within 24 hours. These are separate obligations, so a ransomware attack that triggers both a cyber incident and a payment requires two reports on different timelines.

Reports go directly to CISA, not to the FBI or other agencies. CISA will share relevant information with other federal agencies as needed, but your obligation is to file with CISA. The reporting mechanism will be an online portal, and CISA has committed to keeping the process straightforward.

One important protection for businesses: information submitted under CIRCIA is exempt from FOIA requests and cannot be used in regulatory enforcement actions against the reporting entity. Congress specifically designed this to encourage honest, timely reporting without fear of self-incrimination. That protection disappears if you fail to report and CISA finds out through other channels.

Does CIRCIA Apply to Your Business?

Coverage depends on two factors: your industry sector and your organization’s size.

CIRCIA applies to entities in the 16 critical infrastructure sectors defined by Presidential Policy Directive 21. The sectors most relevant to Texas SMBs include:

• Healthcare and Public Health (hospitals, clinics, insurers, pharmaceutical companies)
• Information Technology (MSPs, SaaS providers, data centers, cloud services)
• Financial Services (banks, credit unions, insurance companies, investment firms)
• Communications (telecom, ISPs, broadcast)
• Energy (oil and gas, electric utilities, pipelines)
• Transportation (logistics, trucking, shipping, aviation)
• Commercial Facilities (large retail, entertainment, real estate)
• Critical Manufacturing (metals, machinery, electrical equipment, transportation equipment)

The size threshold generally follows SBA small business size standards. Organizations with fewer than 500 employees or less than $7.5 million in annual revenue are typically exempt. However, sector-specific criteria can override that exemption. A 200-person IT services company that provides managed security to government agencies, for example, could still be covered based on the nature of its work rather than its headcount.

If you’re unsure whether your business qualifies, the safest approach is to prepare as though you’re covered. The reporting procedures you’ll build are good operational practice regardless of whether CIRCIA technically applies to you.

What Counts as a Reportable Incident

Not every phishing email or blocked malware scan triggers a CIRCIA report. The rule focuses on “substantial cyber incidents” that meet specific criteria.

A covered cyber incident generally includes events where an attacker gains unauthorized access to your systems, disrupts your business operations, or compromises the confidentiality or integrity of your data. Specific triggers include:

• Unauthorized access to critical systems or sensitive data, including employee PII, customer records, or financial information
• Disruption of business operations caused by ransomware, DDoS attacks, or destructive malware
• Compromise of cloud environments including Microsoft 365, Azure, or AWS accounts
• Supply chain compromises where a vendor breach gives attackers access to your environment
• Exploitation of known vulnerabilities that results in system compromise

A failed phishing attempt that your email security catches does not require a report. A successful phishing attack that leads to credential theft and unauthorized access to your financial systems does. The threshold is actual or likely harm to your operations or data, not the mere presence of a threat.

What the Report Must Include

CISA’s reporting form will ask for specific information about the incident. Having this data ready before an incident happens is the difference between meeting the 72-hour window and scrambling to collect facts while your systems are still compromised.

The report requires:

• A description of the incident, including what systems were affected and what the attacker did
• The date and time the incident was discovered (or reasonably believed to have occurred)
• Vulnerabilities exploited, if known
• Indicators of compromise such as IP addresses, malware hashes, or attacker infrastructure
• Contact information for the person filing the report
• Impact assessment covering operational disruption, data exposure, and affected individuals

For ransomware payments specifically, you must also report the payment amount, payment method (usually cryptocurrency), the ransom demand details, and any instructions received from the attacker.

Building Your Incident Reporting Procedure

The 72-hour clock starts when you “reasonably believe” an incident has occurred. That means your ability to detect, assess, and report an incident quickly is the real compliance challenge here. Three days sounds manageable until you factor in the time it takes most businesses to confirm that something actually happened.

According to IBM’s 2024 Cost of a Data Breach Report, the average time to identify a breach is 194 days. CIRCIA doesn’t give you 194 days. It gives you 72 hours from the point you know (or should know) something happened. That gap between typical detection speed and the reporting deadline is where most businesses will struggle.

Here’s what to put in place now:

1. Assign a CIRCIA reporting owner. Designate one person (and a backup) responsible for filing CIRCIA reports. This should be someone with authority to make the call on whether an incident meets the reporting threshold. Document their contact information and ensure they know how to access the CISA reporting portal.

2. Build a detection-to-reporting timeline. Map out your current incident response process and identify where the bottlenecks are. If your IT team discovers a breach on a Friday afternoon, who gets notified? How quickly can you assemble the facts CISA requires? If you work with a managed security provider, confirm that their incident response procedures include CIRCIA reporting support and that they understand the 72-hour obligation.

3. Create a reporting template. Pre-fill everything you can. Your company name, sector classification, primary contact information, and system inventory should all be documented before an incident happens. During an active incident, your team should focus on collecting incident-specific details, not looking up basic organizational information.

4. Run a tabletop exercise. Walk your team through a simulated incident and test whether you can collect the required information and file a report within 72 hours. The first 48 hours of incident response are the most chaotic, and a rehearsal will expose gaps in your process before a real incident forces you to find them under pressure.

5. Review your cyber insurance policy. Many cyber insurance carriers already require policyholders to have incident reporting procedures in place. CIRCIA reporting may satisfy some of those contractual obligations, but you should confirm with your broker. If your policy requires notification to the carrier within a specific timeframe, make sure that obligation is included in your incident response runbook alongside the CISA report.

How This Stacks With Existing Texas Requirements

Texas businesses in regulated industries are already dealing with layered compliance obligations. CIRCIA adds a federal layer on top of state requirements, and the timelines don’t always align.

HIPAA requires notification to HHS within 60 days for breaches affecting 500 or more individuals. CIRCIA’s 72-hour window is significantly tighter. If you experience a breach that triggers both HIPAA and CIRCIA, the CISA report comes first by a wide margin.

The Texas Data Privacy and Security Act (TDPSA) requires notification to affected individuals within 60 days. Again, CIRCIA’s 72-hour requirement to notify CISA runs well ahead of your state obligations.

For defense contractors subject to CMMC, the existing DFARS 7012 clause already requires 72-hour notification to the DoD Cyber Crime Center for incidents involving controlled unclassified information. CIRCIA adds a parallel requirement to notify CISA. The timelines match, but the reports go to different agencies with different formats.

The practical takeaway: your incident response plan needs to account for multiple reporting obligations with different deadlines, different recipients, and different information requirements. A single incident could trigger reports to CISA, HHS, the Texas Attorney General, your cyber insurance carrier, and affected individuals, each with its own timeline and format.

Start Preparing Now

CIRCIA compliance isn’t something you can handle after an incident occurs. The 72-hour reporting window demands preparation. The businesses that will meet this deadline are the ones with monitoring in place to detect incidents quickly, documented procedures to assess and classify what happened, and a pre-built reporting workflow that their team has practiced.

If you don’t have a cybersecurity risk assessment on file, that’s the starting point. You need to understand your current detection capabilities, your incident response maturity, and whether your existing processes can support a 72-hour federal reporting obligation.