RoutineMetric

CIRCIA Cyber Incident Reporting Calculator

Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), covered entities must report substantial cyber incidents to CISA within 72 hours of reasonable belief that the incident occurred, and ransomware payments within 24 hours of payment. Use this dual-purpose utility to determine covered status and map your exact legal deadlines.

Step 1: Covered Entity Eligibility Screener

CIRCIA applies to entities within any of the 16 critical infrastructure sectors that exceed CISA's size/impact thresholds.

Sector Thresholds Checklist (If any apply, you may be a Covered Entity):
  • Community water systems serving more than 3,300 people
  • Publicly owned treatment works (POTWs) serving major metropolitan areas

Complete both questions above to generate an instant preliminary CIRCIA coverage assessment.

Step 2: Incident Timestamp & Type

CIRCIA operates on strict, absolute calendar hours. Business hours, holidays, and weekends do not delay the reporting clock.

Compliance Deadlines

Status / Time Remaining
CISA Reporting Deadline (Your Selected Zone):

CISA Reporting Deadline (UTC Coordinated Time):

CISA Reporting Form Checklist

Be prepared to provide the following details to CISA:

  • Identification and contact details of the covered entity.
  • Detailed description of the impacted systems, networks, or devices.
  • Description of the vulnerabilities exploited (if known).
  • The malicious actors' tactics, techniques, and procedures (TTPs).
  • Any ransom details (demand amount, currency, instructions, amount paid if applicable).
  • Mitigation measures implemented or planned.

Enforcement & Penalties

If a covered entity fails to report within the mandated timeframe:

  • Request for Information (RFI): CISA may issue an administrative request to gather data about the incident.
  • Subpoena Power: Failure to respond to an RFI can result in a federal subpoena forcing disclosure.
  • Civil Enforcement: Referral to the Department of Justice (DOJ) to seek civil actions, injunctions, or contempt of court charges.
  • Federal Contracting: Non-compliance can lead to suspension or debarment from federal contracts.
Bottom Banner Ad (728x90)

Understanding CIRCIA: Compliance Timelines and Covered Entity Status

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law to bolster national cybersecurity, fundamentally changes how critical infrastructure companies interact with federal regulatory bodies following a breach. Run by the Cybersecurity and Infrastructure Security Agency (CISA), CIRCIA mandates streamlined, urgent updates to help prevent cascading cyber failures across key sectors.

The Reporting Deadlines: 72 vs. 24 Hours

CIRCIA compliance is governed by two clear-cut timelines depending on the type of threat vector:

  • Substantial Cyber Incidents (72-Hour Rule): Covered organizations must report any significant incident within 72 hours of "reasonable belief" that the event occurred. This applies to incidents that severely impact operations, cause unauthorized system access, or compromise third-party provider systems.
  • Ransomware Payments (24-Hour Rule): If an organization decides to pay a ransom demand resulting from a ransomware attack, they have a strict 24-hour reporting window starting from the minute the payment transaction is initiated.

Who Counts as a "Covered Entity"?

The scope of CIRCIA covers 16 critical infrastructure sectors defined by Presidential Policy Directive 21 (PPD-21). However, CISA distinguishes between small businesses and larger critical systems. Typically, organizations are covered if they meet the SBA size standards for their sector, operate active community water systems, manage critical bulk power lines, administer regional hospitals, or run critical IT managed services.

Why "Strict Calendar Hours" Matter

Unlike many other compliance obligations, CIRCIA does not acknowledge "business days" or standard bank holidays. A breach discovered on Friday afternoon at 5:00 PM must be filed by Monday afternoon at 5:00 PM. Organizations must maintain an active, 24/7 Incident Response Plan (IRP) that incorporates direct communication lines to CISA. Using this calculator, security officers can determine their target timestamps in UTC, avoiding potential legal recourse and severe regulatory penalties.