CISA Announces Town Halls Seeking Input on CIRCIA Implementation

On February 13, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) within the US Department of Homeland Security published a notice in the Federal Register announcing that it would hold a series of town halls to “allow external stakeholders a limited additional opportunity to provide input on refining the scope and burden” of the proposed rule that would implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Although CISA did not reopen the comment period, this announcement presents an opportunity for interested stakeholders to further inform CISA’s approach to implementing this significant federal cyber incident reporting statute. More broadly, this notice signals CISA’s continued focus on this rulemaking as it approaches May 2026, the date that CISA previously identified in a regulatory filing as the expected release date of a final rule.

As discussed in our prior Legal Update, on March 27, 2024, CISA released a much-anticipated notice of proposed rulemaking to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Under the proposed rule, covered entities will have 72 hours to report to CISA a “covered cyber incident” and 24 hours to report a ransom payment (even if it is not a payment associated with a covered incident). As proposed, the rule would substantially expand on existing US cyber incident reporting requirements and have important implications for how relevant companies respond to cyber incidents.

CISA now is hosting town hall meetings to seek “any specific, actionable improvements that CISA could implement in the final rule to clarify or reduce burden of CIRCIA’s regulatory requirements while enhancing the federal government’s visibility into the cyber threat landscape for critical infrastructure sectors.” CISA further explains that “[i]nput that would be most useful are examples on how the [Notice of Proposed Rulemaking] may impact regulated entities and specific improvements, including how such suggestions would increase the benefit of CIRCIA to critical infrastructure owners and operators.” Participates may also provide “data or specific written materials” within seven days of each town hall.

Subject to the ending of the partial government shutdown currently affecting DHS, CISA intends to host sector-specific town hall meetings throughout March and two general town hall sessions, with the final session on April 2. CISA will create a transcript for each of these sessions that will be entered into the CIRCIA rulemaking docket. CISA chose not to reopen the comment period at this time, but notes that it “may elect to do so in the future.” In addition, if stakeholders want CISA to “consider data or specific written materials as part of a town hall meeting,” they may email that information to CISA “no later than seven (7) calendar days after the meeting.”

The CIRCIA rulemaking has significant implications for companies across many sectors. Interested companies and trade associations may therefore wish to participate in the upcoming town halls in order to further weigh in on the questions raised by CISA or other priority issues. And companies would be wise to view this notice as a signal that the CIRCIA rulemaking is moving forward once more. Companies should be prepared to revisit their assessments of CIRCIA’s potential impact on their cyber incident response processes to ensure that they are well-positioned to respond if CISA does go forward with a final rule in the coming months.