Cyber Incident Reporting for Critical Infrastructure

Entities in critical infrastructure sectors must report covered cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred. Ransom payments must be reported within 24 hours. Covered incidents include those that lead to substantial loss of confidentiality, integrity, or availability, or serious impact on safety and resilience of operational systems.

Reports must include a description of the incident, affected systems, the impact on operations, the type of information compromised, and contact information. Reported information receives liability protections and exemptions from disclosure under FOIA.