CISA Significant Incident Declarations and Cyber Incident Reporting
The newer Title 6 cyber provisions do two related but distinct things. First, they let DHS declare a significant cyber incident and unlock coordination and funding tools for recovery. Second, they require covered critical-infrastructure entities to report certain cyber incidents and ransom payments to CISA. Together, 6 U.S.C. §§ 677-677e and 681-681g create a modern federal cyber-escalation framework: one part is about government response to especially serious incidents, and the other is about mandatory reporting and national situational awareness. For CISA's broader critical infrastructure protection mission, see CISA Critical Infrastructure. For physical security programs that complement cyber incident response, see homeland security framework (DHS).
Current Law (2026)
| Parameter | Value |
|---|---|
| Core statutes | 6 U.S.C. §§ 677-677e; 681-681g |
| Main focus | significant-incident declarations, cyber response funding, and mandatory cyber incident reporting |
| Primary agencies | DHS Secretary, CISA Director, National Cyber Director, Sector Risk Management Agencies, and covered critical-infrastructure entities |
| Key reporting deadlines | 72 hours for covered cyber incidents; 24 hours for ransom payments |
| Distinctive feature | combines escalation authority with reporting, information-sharing, and enforcement mechanisms |
Two Different Legal Tools
Significant-incident declaration
Part C of Subchapter XVIII is not the routine reporting regime. It is a more exceptional authority. Under 6 U.S.C. § 677b, the Secretary of Homeland Security, in consultation with the National Cyber Director, may declare a significant incident when a serious cyber event has occurred or is imminent and ordinary resources are likely insufficient. Once that happens, CISA can coordinate asset-response activity across federal agencies and work with affected public and private entities.
The statute also establishes the Cyber Response and Recovery Fund under 6 U.S.C. § 677c, which can support coordination, technical assistance, recovery support, and certain grants or cooperative agreements tied to the declared incident.
Cyber incident reporting
Part D is the CIRCIA reporting framework. Under 6 U.S.C. § 681b, a covered entity that experiences a covered cyber incident must report it to CISA within 72 hours after reasonably believing the incident has occurred, and a covered entity that makes a ransom payment must report that payment within 24 hours.
This part also covers voluntary reporting, noncompliance procedures, liability and confidentiality protections, the Cyber Incident Reporting Council, and federal sharing rules so incident reports do not get trapped in agency silos.
How It Works
The statute separates two distinct mechanisms that operate at different thresholds. The Secretary's significant incident declaration under 6 U.S.C. § 681b is high-threshold and discretionary — reserved for incidents serious enough to justify extraordinary federal coordination tools — while the CIRCIA reporting obligations apply more broadly to covered entities facing reportable incidents regardless of whether any declaration has been made. The interagency sharing requirement in 6 U.S.C. § 681g addresses a structural fragmentation problem: before CIRCIA, cyber incident reports flowed to multiple federal agencies with limited cross-sharing, meaning CISA often lacked the full picture. The statute now requires federal agencies receiving cyber incident reports to share them with CISA rapidly, and pushes agencies to harmonize duplicative reporting requirements to reduce the burden on covered entities filing parallel reports to multiple regulators. Noncompliance has a defined escalation path: 6 U.S.C. § 681d gives CISA authority to request information from non-reporting entities and, if necessary, pursue subpoena-backed enforcement — making the reporting obligation legally enforceable rather than merely aspirational.
Why These Provisions Matter
These two provisions work together to shift federal cyber policy beyond purely voluntary reporting — before CIRCIA, much incident reporting depended on sector-specific rules, contracts, or informal cooperation; Congress now gives CISA a stronger baseline framework. The provisions also deliberately separate reporting from response escalation: not every report becomes a declared national cyber emergency, but declarations and reporting can interact when an especially serious incident affects many entities or causes major national harm. The statute embeds privacy and disclosure protections specifically to make reporting useful for national awareness without turning CISA into a conventional public-disclosure or regulatory punishment channel.
How It Affects You
<!-- pria:personalize type="impact" -->If you operate a business in a critical infrastructure sector: CIRCIA's reporting requirements apply to covered entities in the 16 critical infrastructure sectors designated under Presidential Policy Directive 21 — which includes healthcare, energy (electric, oil/gas), water, transportation, financial services, information technology, communications, and more. The 72-hour clock for reporting a covered cyber incident runs from when your organization "reasonably believes" the incident occurred — not from when IT finishes the forensic investigation. Practically speaking: if ransomware locks your systems on a Monday morning, you likely have until Thursday to report to CISA, not three months. CISA published a proposed rule in March 2024 to define exactly which entities and incidents are covered; as of April 2026, the final rule had not yet been published, but organizations in the 16 sectors should assume they are likely covered and structure their incident response procedures accordingly.
What counts as a "covered cyber incident" under the proposed rule: CISA's March 2024 proposed rule suggested three categories: incidents that substantially disrupt business operations, incidents that meet a significant impact threshold on covered systems, or incidents that involve certain unauthorized access to operational technology or industrial control systems. A ransomware attack that forces you to shut down a manufacturing line or hospital department would almost certainly qualify. A phishing email that an employee caught and blocked would not. When in doubt during a live incident, legal counsel should be making the threshold judgment call — the consequences of not reporting when required are worse than filing a report when it's uncertain.
On ransom payments: The 24-hour ransom payment reporting deadline in 6 U.S.C. § 681b is separate from and faster than the 72-hour incident report. Even if you've already reported the underlying incident, a subsequent payment — including payments made through a third party like a cyber insurer or incident-response firm — triggers a fresh 24-hour clock. Payments to sanctioned entities (OFAC-listed groups) create an additional legal layer that needs legal review before payment, not after.
Key protections for reporters: Reports submitted under CIRCIA are protected from FOIA disclosure under 6 U.S.C. § 681e — they cannot be obtained through public records requests. Reports also cannot be used as the sole basis for a regulatory enforcement action against the reporting entity. These protections were deliberately included to encourage honest, complete reporting by organizations that might otherwise fear self-incrimination. The reporting obligation is federal; it does not pre-empt state breach notification laws, which typically run on their own separate timelines (often 30-72 days for consumer data).
If you are a lawyer, insurer, or incident-response provider: You are likely involved in every covered entity's first post-incident decision about whether and when to report. The 72-hour deadline means you cannot wait for a full post-incident review. Retainer agreements and incident response plans should already address CIRCIA reporting obligations, who in the organization has authority to submit the report, and how to coordinate with cyber insurers who may have separate contractual reporting requirements.
<!-- /pria:personalize -->State Variations
- the declaration and CIRCIA authorities are federal, but many entities also face state breach-notification or sector-specific state cyber rules
- states can be affected both as governments and as owners of critical systems, yet the reporting triggers here depend on federal definitions for covered entities and covered incidents
- practical compliance will vary by sector because existing reporting obligations differ across energy, finance, health care, transportation, and other infrastructure areas
Recent Developments
- CIRCIA proposed rule (March 2024): CISA published its Notice of Proposed Rulemaking defining covered entities, covered cyber incidents, reporting timelines, and other operational details. The comment period closed in June 2024 and produced thousands of industry comments, many pushing back on the breadth of the proposed coverage definitions. As of April 2026, the final rule was still pending — making this one of the most watched cybersecurity regulatory processes in the federal government
- CIRCIA final rule timing: The statute gave CISA 24 months from enactment to issue a final rule; that deadline passed without finalization, which is not uncommon for complex rulemakings. Covered entities should watch for a final rule in 2026 or 2027, with compliance deadlines to follow after publication
- Significant-incident declaration framework: No major invocations of the new significant-incident declaration authority had occurred as of April 2026, but the framework was activated for pre-positioning purposes in the context of Chinese state-actor activity (Salt Typhoon, Volt Typhoon) targeting U.S. critical infrastructure, particularly telecommunications and water systems
- Salt Typhoon telecom breach (2024-2025): The high-profile Salt Typhoon breach of major U.S. telecommunications carriers — including AT&T, Verizon, and others — which compromised call metadata and some content for senior government officials, brought CIRCIA's reporting and government-response architecture into sharp focus. CISA's role in coordinating the government's response to that incident demonstrated what the declaration and coordination machinery was designed for
- Harmonization effort: The Cyber Incident Reporting Council, established by the statute, is working to reduce duplicative reporting requirements across federal agencies. As of April 2026, the Energy sector (NERC CIP), financial sector (SEC, FINRA), and healthcare sector (HHS) each have separate incident-reporting obligations that don't perfectly align with CIRCIA — the harmonization work is ongoing