What Is CIRCIA?

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is a United States federal law that mandates timely reporting of major cyber incidents—including ransomware payments. Its goal is to improve the cybersecurity of the nation and enable the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) to collect, analyze, and share threat intelligence more effectively.

As the thinking goes, if CISA becomes aware of incidents in relatively short order, it can enable defenders and provide assistance to victims more swiftly.

CIRCIA, which was signed into law in 2022, applies to a wide range of sectors considered essential to national security and economic stability, including energy, healthcare, financial services, and communications.

What Does CIRCIA Require?

Under the proposed 2024 framework, organizations designated as “covered entities” must:

• Report substantial cyber incidents within 72 hours from the time the organization reasonably believes it to have occurred
• Report ransomware payments within 24 hours
• Retain and preserve related logs, communications, and forensic data

Note that unauthorized access that is caused by or facilitated through a supply chain compromise, such as at a third party or vendor, can be considered a substantial cyber incident under CIRCIA.

Who Must Comply?

CIRCIA notes that there are multiple ways in which organizations are considered covered entities. They can either qualify by size or by sector. CIRCIA applies to organizations that exceed the small business standard from the Small Business Administration (SBA), for instance. CIRCIA also covers organizations in the 16 sectors designated as critical infrastructure by Presidential Policy Directive 21 as well. These sectors include:

• Financial services
• Healthcare and public health
• Transportation systems
• Energy
• Information technology
• Communications
• Water and wastewater systems
• Food and agriculture
• Emergency services
• Critical manufacturing

If your business delivers essential services in these sectors, CIRCIA applies.

What Triggers a Reporting Obligation?

In addition to ransomware payments, which trigger a 24 hour reporting timeline, a substantial cybersecurity incident will trigger a 72 hour reporting timeline under CIRCIA. A substantial cyber incident is considered those which cause: 

• A loss of confidentiality, integrity, and availability

• A serious impact on the safety or integrity of an operational system or process
• A disruption of business (such as those incidents involving ransomware, a Denial-of-Service attack, or exploitation of a zero-day)

Supply chain compromises, such as those that stem from a third party or vendor, are designated as substantial cyber incidents as well.

Why CIRCIA Matters for Third-Party Risk

According to SecurityScorecard’s 2025 Global Third-Party Breach Report:

• 35.5% of all breaches involved third-party access
• 4.5% extended to fourth parties, magnifying the impact across ecosystems
• 41.4% of ransomware attacks being with third parties
• Ransomware actors lead the pack and are responsible for 64.8% of attributable breaches

CIRCIA acknowledges that modern threats often enter through external partners, which holds companies accountable for the actions and cyber risks of their digital supply chains. To comply, organizations must track not only their own systems, but also vendor access, breach history, and cyber hygiene.

How to Prepare for CIRCIA

Preparation requires operational alignment between legal, security, and risk teams. Key steps can include:

1. Confirm Whether You Are a Covered Entity

Use CISA’s critical infrastructure and size definitions to assess whether your organization will fall under CIRCIA.

2. Build Incident Response Timelines

Update incident response playbooks to meet CIRCIA’s 72-hour and 24-hour deadlines. Define escalation paths, reporting roles, and executive decision workflows. Include vendor-level agreements in this planning stage.

3. Improve Vendor Visibility

Many reportable breaches begin with third parties. Ensure you know:

• Which vendors access sensitive systems
• Their past breach history and rating performance, as breach history can be indicative of future risk
• Points of contact and incident response responsibilities in case of breach

SecurityScorecard’s Supply Chain Detection and Response (SCDR) solution can provide organizations improved vendor visibility, continuous monitoring, and vendor engagement.

4. Preserve Forensic Evidence

Ensure your systems collect and retain the necessary data to comply with post-incident evidence requirements under CIRCIA, including, but not limited to:

• Logs
• Communication records
• Memory captures
• Forensic images
• System information
• Indicators of Compromise (IOCs)
• Exploit payloads or ransomware notes
• Detection and containment timelines

This information can be instrumental in enabling CISA to understand how a threat actor carried out an attack and therefore better assist defenders and other potential victims in thwarting the attack. Authorities may also find this information useful in conducting investigations.

SecurityScorecard’s MAX managed services integrates with SOC workflows to support real-time crisis response, providing breach documentation and forensic readiness that may help ease the burden during high-pressure moments.

Elevate Your Cybersecurity Strategy with MAX

Leverage SecurityScorecard’s MAX to gain unparalleled visibility into your nth party ecosystem. Our managed service not only identifies vulnerabilities but also provides remediation support, ensuring your supply chain remains secure and compliant.

🔗 Explore MAX