CISA pushes final cyber incident reporting rule to May 2026 | CyberScoop<\/title> <meta name=\"description\" content=\"The Cybersecurity and Infrastructure Agency is delaying finalization of CIRCIA until next year, according to a recent regulatory notice.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA pushes final cyber incident reporting rule to May 2026\"> <meta property=\"og:description\" content=\"The Cybersecurity and Infrastructure Agency is delaying finalization of CIRCIA until next year, according to a recent regulatory notice.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-09-08T18:29:20+00:00\"> <meta property=\"article:modified_time\" content=\"2025-09-08T18:29:24+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-5.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"683\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1754500264g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1756821995g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/85888\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=85888\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-pushes-final-cyber-incident-reporting-rule-to-may-2026%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-pushes-final-cyber-incident-reporting-rule-to-may-2026%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-85888 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.69696969697\">\n<div class=\"single-article__header-content\" readability=\"34.430517711172\">\n<p> The agency will consider streamlining the CIRCIA rule and finding ways to deconflict with other cyber regulations. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/85888\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-5.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-5.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-5.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-5.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-5.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-5.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-5.jpg?resize=1012,675 1012w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> Image showing the Colonial Pipeline Houston Station facility in Pasadena, Texas (Photo by Francois PICARD \/ AFP) (Photo by FRANCOIS PICARD\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"47.131494330682\"><body readability=\"97.984467455621\"><\/p>\n<p>The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.<\/p>\n<p>Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget\u2019s Office of Information and Regulatory Affairs <a href=\"https:\/\/www.reginfo.gov\/public\/do\/eAgendaViewRule?pubId=202504&RIN=1670-AA04\">published an update<\/a> that moved the final rule\u2019s arrival to May 2026.<\/p>\n<p>A CISA official told CyberScoop that the move would give the agency time to consider streamlining and reducing the burden on industry of a previously proposed version of the rule, citing public comments in response to that version, as well as harmonizing the law with other agencies\u2019 cyber regulations.<\/p>\n<p>\u201cWe received a significant number of public comments on the proposed rule, many of which emphasized the need to reduce the scope and burden, improve harmonization of CIRCIA with other federal cyber incident reporting requirements, and ensure clarity,\u201d said Marci McCarthy, director of public affairs at CISA. \u201cStakeholder input is extremely important as we work to draft a rule that improves our collective security. CISA remains committed to implementing CIRCIA to maximize impact while minimizing unnecessary burden to entities in critical infrastructure sectors.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>McCarthy said CISA would take the time prior to May to \u201cexamine options within the rulemaking process to address Congressional intent and streamline CIRCIA\u2019s requirements.\u201d<\/p>\n<p>A top lawmaker and leading industry group also told CyberScoop the delay could help make those kinds of changes.<\/p>\n<p>House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the Trump administration assured him that it would prioritize soliciting additional feedback from groups that would be affected by the regulations.<\/p>\n<p>\u201cI support the administration\u2019s decision to extend the deadline for CIRCIA\u2019s final rule as long as this additional time is used to properly capture private-sector feedback on the proposed rule\u2019s reporting requirements and ensure the final rule fulfills congressional intent for the law,\u201d he said. \u201cI share the concern of many industry stakeholders that CIRCIA should not place duplicative or overly broad requirements on critical infrastructure owners and operators. Doing so could unnecessarily burden America\u2019s cyber professionals as they work to defend our networks from heightened threats.\u201d<\/p>\n<p>The 2022 law will require critical infrastructure owners and operators to report to CISA within 72 hours if they suffer a major cyberattack, and to report within 24 hours if they pay a ransomware demand. It was inspired by a spate of major cyberattacks, such as the 2021 Colonial Pipeline hack.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>But CISA\u2019s <a href=\"https:\/\/cyberscoop.com\/cisa-cyber-reporting-circia-2024\/\">proposed rule<\/a> \u2014 and how it interpreted the scope of whom the law would apply to or what kind of incidents would constitute reporting to CISA \u2014 had drawn <a href=\"https:\/\/cyberscoop.com\/cisa-circia-critical-infrastructure-reporting-letter\/\">industry criticism<\/a> from groups that wanted a narrower reading of the definitions of the law\u2019s key terms and phrases.<\/p>\n<p>The Information Technology Industry Council, which had co-signed letters about the proposed regulation, said the delay gives CISA a chance to adopt industry input.<\/p>\n<p>\u201cEnhancing operational efficiency through improved visibility into significant cyber incidents remains a top priority for the tech industry,\u201d said Leopold Wildenauer, director of cybersecurity policy for the group. \u201cCIRCIA will have a significant impact on the U.S. cyber landscape, so it\u2019s critical to get it right. CISA should use this extended timeline to meaningfully incorporate industry input and realign the rule with Congress\u2019s original intent. At the same time, efforts to streamline incident reporting and harmonize requirements across the federal government must move forward to drive better security outcomes.\u201d<\/p>\n<p>Bloomberg Law had <a href=\"https:\/\/news.bloomberglaw.com\/privacy-and-data-security\/cyber-agency-pushes-data-breach-reporting-final-rule-to-2026\">earlier reported the planned delay<\/a>, based on a notice that disappeared from the Office of Information and Regulatory Affairs website for weeks afterward.<\/p>\n<p>Personnel cutbacks at CISA and other developments had long prompted concerns that the agency <a href=\"https:\/\/cyberscoop.com\/cisa-sean-plankey-circia-deadline-op-ed\/\">would not meet<\/a> the October CIRCIA deadline. Department of Homeland Security Secretary Kristi Noem <a href=\"https:\/\/cyberscoop.com\/dhs-wont-tell-congress-how-many-people-its-cut-from-cisa\/\">said in May<\/a> she would support re-opening industry consultation on the proposed regulation. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The notice about the delay clears up uncertainty about CISA\u2019s plans, said Caleb Skeath, a partner at the Covington law firm.<\/p>\n<p>\u201cIt helps provide some clarity on what the next steps are. We did have a statutory deadline for having these rules published, but there had not been a lot of information coming out of CISA for a pretty long period of time since the comment period,\u201d he said. \u201cAnd it\u2019s a very broad, wide-ranging rule that\u2019s going to impact a lot of entities across a lot of industry sectors, and is going to require very quick reporting of a lot of information about cybersecurity incidents.\u201d<\/p>\n<p>There are limits to the kinds of changes the Trump administration could make to the proposed regulation without going to Congress for additional leeway, Skeath said. And it\u2019s possible that it could take extra time beyond publication of a final rule in May for the regulation to go into effect, he said.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<div class=\"popular-stories__stories\">\n<div class=\"popular-stories__cards\">\n<article class=\"post-item post-item--popular-stories-cards \" readability=\"21.726862302483\">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/trump-administration-cybersecurity-executive-orders-policy-changes-2025\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"506\" height=\"337\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-2.jpg?resize=506%2C337&ssl=1\" class=\"attachment-ratio-16-9-md size-ratio-16-9-md wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-6.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-6.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-6.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-6.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-6.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-6.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-6.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-6.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-6.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-6.jpg?resize=1265,843 1265w\" sizes=\"auto, (max-width: 506px) 100vw, 506px\"> <\/a><figcaption class=\"screen-reader-text\"> President Donald Trump holds up an executive order on creating a White House 2028 Olympics task force after signing it in the South Court Auditorium of the White House on Aug. 5, 2025. (Photo by Brendan SMIALOWSKI \/ AFP) <\/figcaption><\/figure>\n<header class=\"post-item__meta\" readability=\"2.9054054054054\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/trump-administration-cybersecurity-executive-orders-policy-changes-2025\/\"> The overlooked changes that two Trump executive orders could bring to cybersecurity <\/a> <\/h3>\n<p> Good, bad, puzzling \u2014 a March order and June order could have bigger ripples than realized when the president signed them. <\/p>\n<div class=\"post-item__byline\"> <span class=\"post-item__author\"> <span>By <\/span> <a class=\"post-item__author-link\" href=\"https:\/\/cyberscoop.com\/author\/tim-starkscyberscoop-com\/\"> Tim Starks <\/a> <\/span> <\/div>\n<p> <\/header>\n<p> <\/article>\n<article class=\"post-item post-item--popular-stories-cards \">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/national-cyber-director-sean-cairncross-faces-challenges-on-policy-bureaucracy-threats\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"252\" height=\"168\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-3.jpg?resize=252%2C168&ssl=1\" class=\"attachment-ratio-16-9-sm size-ratio-16-9-sm wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-7.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-7.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-7.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-7.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-7.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-7.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-7.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-7.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-7.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-7.jpg?resize=1265,843 1265w\" sizes=\"auto, (max-width: 252px) 100vw, 252px\"> <\/a><figcaption class=\"screen-reader-text\"> Sean Cairncross, CEO, Millenium Challenge Corporation, speaks onstage during the 2019 Concordia Annual Summit \u2013 Day 2 at Grand Hyatt New York on Sept. 24, in New York City. (Photo by Riccardo Savi\/Getty Images for Concordia Summit) <\/figcaption><\/figure>\n<header class=\"post-item__meta\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/national-cyber-director-sean-cairncross-faces-challenges-on-policy-bureaucracy-threats\/\"> New National Cyber Director Cairncross faces challenges on policy, bureaucracy, threats <\/a> <\/h3>\n<div class=\"post-item__byline\"> <span class=\"post-item__author\"> <span>By <\/span> <a class=\"post-item__author-link\" href=\"https:\/\/cyberscoop.com\/author\/tim-starkscyberscoop-com\/\"> Tim Starks <\/a> <\/span> <\/div>\n<p> <\/header>\n<p> <\/article>\n<article class=\"post-item post-item--popular-stories-cards \">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/cisa-sean-plankey-circia-deadline-op-ed\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"252\" height=\"168\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-4.jpg?resize=252%2C168&ssl=1\" class=\"attachment-ratio-16-9-sm size-ratio-16-9-sm wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-8.jpg 4000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-8.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-8.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-8.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-8.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-8.jpg?resize=2048,1366 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-8.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-8.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-8.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-8.jpg?resize=1012,675 1012w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026-8.jpg?resize=1264,843 1264w\" sizes=\"auto, (max-width: 252px) 100vw, 252px\"> <\/a><figcaption class=\"screen-reader-text\"> Sean Plankey, of Pennsylvania, responds to questioning during Senate Committee on Homeland Security and Governmental Affairs hearings to examine his nomination to be Director of the Cybersecurity and Infrastructure Security Agency, of the Department of Homeland Security, in the Dirksen Senate office building, in Washington, DC, on Wednesday July 24, 2025. (Mattie Neretin\/CNP\/Sipa USA) <\/figcaption><\/figure>\n<header class=\"post-item__meta\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/cisa-sean-plankey-circia-deadline-op-ed\/\"> CISA is facing a tight CIRCIA deadline. Here\u2019s how Sean Plankey can attempt to meet it <\/a> <\/h3>\n<div class=\"post-item__byline\"> <span class=\"post-item__author\"> <span>By <\/span> <a class=\"post-item__author-link\" href=\"https:\/\/cyberscoop.com\/author\/lauren-boas-hayes\/\"> Lauren Boas Hayes <\/a> <\/span> <\/div>\n<p> <\/header>\n<p> <\/article>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA pushes final cyber incident reporting rule to May 2026<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1092,1794,452,293,679,117,1892,3076,1571,439,817,288],"tags":[1094,1795,454,299,680,119,1894,3079,1572,443,821,294],"class_list":["post-7967","post","type-post","status-publish","format-standard","hentry","category-andrew-garbarino","category-circia","category-cybersecurity-and-infrastructure-security-agency-cisa","category-department-of-homeland-security-dhs","category-financial","category-government","category-information-technology-industry-council","category-kristi-noem","category-office-of-management-and-budget","category-policy","category-regulation","category-threats","tag-andrew-garbarino","tag-circia","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-department-of-homeland-security-dhs","tag-financial","tag-government","tag-information-technology-industry-council","tag-kristi-noem","tag-office-of-management-and-budget","tag-policy","tag-regulation","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/andrew-garbarino\/\" rel=\"category tag\">Andrew Garbarino<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/circia\/\" rel=\"category tag\">CIRCIA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-homeland-security-dhs\/\" rel=\"category tag\">Department of Homeland Security (DHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/financial\/\" rel=\"category tag\">Financial<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/information-technology-industry-council\/\" rel=\"category tag\">Information Technology Industry Council<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/kristi-noem\/\" rel=\"category tag\">Kristi Noem<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/office-of-management-and-budget\/\" rel=\"category tag\">office of management and budget<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/policy\/\" rel=\"category tag\">Policy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/regulation\/\" rel=\"category tag\">regulation<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7967","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7967"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7967\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7967"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7967"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7967"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7967,"date":"2025-09-08T13:29:20","date_gmt":"2025-09-08T18:29:20","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=85888"},"modified":"2025-09-08T13:29:20","modified_gmt":"2025-09-08T18:29:20","slug":"cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/09\/08\/cisa-pushes-final-cyber-incident-reporting-rule-to-may-2026\/","title":{"rendered":"CISA pushes final cyber incident reporting rule to May 2026"},"content":{"rendered":"