The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced a revised schedule for virtual town hall meetings on the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The sessions, set to begin June 15, will gather stakeholder input as the agency advances the rulemaking process aimed at strengthening national cybersecurity while minimizing compliance burdens for critical infrastructure organizations.
The updated meetings replace sessions originally planned for March and April 2026 that were postponed following the recent shutdown affecting the Department of Homeland Security. CISA said it remains committed to providing stakeholders an opportunity to offer additional feedback before the CIRCIA rule is finalized.
The virtual town hall meetings will begin with general session 1 on Monday, June 15, 2026, followed by critical infrastructure sectors grouping A on Tuesday, June 16, 2026. That session will include stakeholders from the communications, dams, emergency services, food and agriculture, government facilities, healthcare and public health, transportation systems, and water and wastewater sectors.
General session 2 is scheduled for Wednesday, June 17, 2026, while critical infrastructure sectors grouping B will take place on Thursday, June 18, 2026. The latter session will include participants from the chemical, commercial facilities, critical manufacturing, defense industrial base, energy, financial services, information technology, and nuclear reactors, materials, and waste sectors.
“CISA is working to maximize the impact of CIRCIA to significantly improve our Nation’s cybersecurity posture. At the same time, CISA values the interest and concern our stakeholders have that CIRCIA will be implemented with minimal unnecessary burden to entities in critical infrastructure sectors,” Nick Andersen, CISA’s acting director, said in a Tuesday media statement. “CISA appreciates our stakeholder’s patience with waiting for our rescheduled town hall meetings to provide their critical input as we finalize this rule. As an agency built on collaboration and coordination, CISA is committed to hearing from the American people, critical infrastructure owners and operators, and other community members.”
CIRCIA is a U.S. law that will help the government quickly respond to cyber threats and share information to protect critical infrastructure. Once the final rule is implemented, covered organizations will be required to report certain cyber incidents to CISA within 72 hours and ransom payments within 24 hours.
CISA has received numerous requests for additional engagement on the CIRCIA rulemaking process and greatly values its stakeholders’ interest in shaping a final rule that maximizes CIRCIA’s impact on our Nation’s cybersecurity posture while minimizing unnecessary burden. Given the broad stakeholder community that CIRCIA may potentially impact, CISA will conduct a series of town hall meetings to solicit input on the Notice of Proposed Rulemaking (NPRM). CISA selected this approach to gather additional engagement on the CIRCIA NPRM to provide access to CISA across the broad range of entities within the critical infrastructure sectors.
CISA issued the CIRCIA NPRM in April 2024. To inform the CIRCIA NPRM, CISA hosted in-person public listening sessions across the country, conducted virtual sector-specific sessions, and engaged with Sector Risk Management Agencies (SRMAs) and other federal partners—all aimed at gathering meaningful input from a broad range of stakeholders.
The NPRM was open for a 90-day public comment period.
