← All articles Compliance

CIRCIA Finalizes in September 2026: What the 72-Hour Incident Reporting Rule Means for Federal Contractors

CISA is finalizing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) implementing rule this September 2026. Non-compliance can result in suspension from federal contracts. Separately, a FAR rule standardizing cybersecurity requirements for unclassified federal IT systems finalizes in September, a third rule on cyber threat and incident reporting for federal contractors also hits in September, and DoD is adding a new DFARS proposed rule in August specifically for defense contractors. Three rules. One season. Here is what each one requires and what you need to do before they take effect.

In eighteen years as a Contracting Specialist and Contracting Officer at GSA, IRS, DoD, and DOI, I have watched cybersecurity compliance requirements evolve from a checkbox in the contract to the single most consequential compliance obligation a federal contractor can face. What is different about the Fall 2026 wave is the convergence: multiple rules finalizing simultaneously, each adding new obligations and each carrying suspension risk. The contractors who treat this as one rule to manage rather than a system of overlapping requirements are going to be caught short.

What is CIRCIA and who does it affect?

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), enacted under 6 U.S.C. 681b, requires covered entities in critical infrastructure sectors to report cyber incidents to CISA within 72 hours and to report ransom payments made in response to ransomware attacks within 24 hours. Federal contractors who operate in or serve critical infrastructure sectors are covered entities subject to CIRCIA.

CISA published its Notice of Proposed Rulemaking (NPRM) implementing CIRCIA in March 2024. The final rule is scheduled for September 2026. CIRCIA does not apply only to defense contractors or classified systems — it applies to any entity in a designated critical infrastructure sector, which includes information technology, communications, financial services, healthcare, energy, transportation, government facilities, and several others. If your federal contracts touch any of these sectors — and most IT and professional services contracts do — CIRCIA applies to you.

Covered critical infrastructure sectors under CIRCIA (per Presidential Policy Directive 21):

What exactly does the 72-hour cyber incident reporting requirement mean?

Under CIRCIA, a covered entity that experiences a "covered cyber incident" must report to CISA within 72 hours of reasonably believing the incident occurred. A covered cyber incident is one that meets thresholds set in the final rule — generally, incidents that result in substantial loss of confidentiality, integrity, or availability of an information system; disruption to business or industrial operations; or unauthorized access to a federally regulated entity's systems.

The 72-hour clock starts when you have a reasonable belief that a covered incident occurred — not when you have completed your forensic investigation or confirmed the full scope. This is operationally significant. From the CO seat, I have seen contractors delay notification to agencies because they wanted to have a complete picture before reporting. CIRCIA does not allow that approach. You report at 72 hours with what you know, and you supplement the report as your investigation develops.

Required elements of a CIRCIA incident report:

What does the 24-hour ransomware payment reporting requirement cover?

Any covered entity that makes a ransom payment — regardless of the amount, regardless of whether a formal incident was reported, and regardless of whether the payment resolves the incident — must report the payment to CISA within 24 hours. The reporting requirement applies even if you paid through a third party or cyber insurance carrier.

This 24-hour window is shorter than the incident reporting window deliberately. The federal government's policy position is that ransomware payment intelligence is critical for tracking threat actor activity, and that intelligence loses value quickly. The report must include the amount paid, the payment method, the digital wallet or account to which payment was made, and the ransom demand details to the extent known.

Non-compliance with ransom payment reporting is treated as seriously as non-compliance with incident reporting — both can result in civil enforcement action under CIRCIA and, for federal contractors, the suspension risk that flows from a violation of a federal regulation.

What are the two additional cybersecurity rules finalizing in September 2026?

Two additional federal cybersecurity rules are also scheduled to finalize in September 2026: a FAR rule standardizing cybersecurity requirements for unclassified federal IT systems, and a separate rule on cyber threat and incident reporting obligations for federal contractors specifically. Together with CIRCIA, these three rules create overlapping but distinct reporting and compliance obligations.

The FAR cybersecurity rule for unclassified IT systems closes a significant gap in current contractor requirements. Right now, cybersecurity obligations for unclassified federal systems vary by agency and contract — some agencies flow down NIST SP 800-171 requirements, others rely on FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems), and still others add agency-specific cybersecurity clauses. The new FAR rule will standardize the baseline across all federal contracts for systems handling unclassified federal information, eliminating the patchwork of agency-specific requirements and replacing them with a uniform federal standard.

RuleIssuing AuthorityFinalizationPrimary Obligation
CIRCIA implementing ruleCISA (DHS)September 2026Report cyber incidents within 72 hours; ransom payments within 24 hours
FAR cybersecurity rule (unclassified IT)FAR CouncilSeptember 2026Uniform cybersecurity baseline for all federal contracts handling unclassified federal information
Federal contractor cyber threat/incident reportingFAR Council / CISASeptember 2026Contractor-specific incident and threat reporting obligations for federal contracts
DoD DFARS cybersecurity ruleDoDProposed August 2026Defense-specific cybersecurity requirements for defense contractors (DFARS supplement)

What does the DoD DFARS cybersecurity proposed rule add for defense contractors?

DoD is adding a new Defense Federal Acquisition Regulation Supplement (DFARS) proposed rule in August 2026 that addresses cybersecurity requirements specifically for defense contractors. This rule supplements, rather than replaces, CMMC (Cybersecurity Maturity Model Certification) requirements. Defense contractors will be subject to both CMMC and the new DFARS rule simultaneously.

For defense contractors already navigating CMMC Level 2 self-assessments and C3PAO third-party assessments under DFARS 252.204-7021, the August proposed rule adds another layer. The key word is "proposed" — a DFARS proposed rule goes through notice-and-comment before finalization. But given DoD's track record on cybersecurity rulemaking, the proposed rule signals the direction that will affect your contracts within 12 to 18 months.

If your firm holds defense contracts and you are not yet CMMC-compliant, the August DFARS proposed rule should accelerate your assessment timeline. Wait any longer and you will be managing CMMC compliance and DFARS proposed rule comments simultaneously while trying to maintain contract eligibility.

What do federal contractors need to do before September 2026?

Three actions before September: designate a CIRCIA reporting point of contact and establish a documented incident response procedure with a 72-hour clock, review all federal contracts for unclassified IT system obligations to assess the gap between your current controls and the incoming FAR standard, and if you hold defense contracts, assess your CMMC status now before the DFARS proposed rule adds further complexity.

  1. Designate a CIRCIA reporting contact: CISA's reporting portal will require an authorized organizational contact — identify who that person is now and ensure they have authority to submit reports without legal or executive approval delays
  2. Build a 72-hour incident response playbook: Your existing breach response procedures are almost certainly not optimized for a 72-hour reporting clock — review and update them now. The report must go to CISA at the 72-hour mark whether or not your internal investigation is complete
  3. Map your federal contracts to critical infrastructure sectors: If any of your contracts touch IT, communications, healthcare, energy, transportation, or financial services, CIRCIA applies — document which contracts fall under which sectors
  4. Review FAR 52.204-21 compliance: The incoming FAR cybersecurity rule will raise the baseline above current 52.204-21 requirements — assess your current controls against NIST SP 800-171 and identify gaps
  5. If you hold defense contracts, verify your CMMC plan: CMMC Level 2 requires either a current self-assessment score in SPRS or a C3PAO assessment underway — confirm your status at dodcmmc.mil
  6. Review your cyber insurance policy for ransomware payment notification clauses: Many cyber insurance policies include ransomware payment provisions — ensure your policy does not conflict with CIRCIA's 24-hour reporting requirement

What suspension risk does CIRCIA non-compliance actually create?

CIRCIA authorizes CISA to issue civil investigative demands (CIDs) to non-reporting covered entities and to refer non-compliant entities to the Attorney General for enforcement. For federal contractors, a CISA enforcement referral or a finding of CIRCIA non-compliance creates grounds for suspension or debarment under FAR 9.4 — specifically, the "adequate evidence" standard that a contractor is not presently responsible.

When I was a Contracting Officer evaluating contractor responsibility under FAR 9.104-1, a regulatory violation finding from a federal agency was the kind of record that stopped a contract award cold. Suspension proceedings do not require a criminal conviction — they require adequate evidence that the contractor failed to comply with federal law. A CIRCIA enforcement referral is that evidence. The practical effect is that a contractor under CISA enforcement action may be unable to receive new federal contract awards until the matter is resolved.

What Is the Bottom Line?

If you are an IT or professional services contractor on the GSA Schedule or holding task orders under OASIS+ and want to understand how these three Fall 2026 rules affect your specific contract portfolio, Blackfyre provides federal acquisition and compliance strategy from a team with 18 years of direct CO and CS experience across GSA, DoD, IRS, and DOI.

Frequently Asked Questions

Does CIRCIA apply to small businesses?

CIRCIA's final rule includes a small business exemption threshold — small businesses below a certain revenue or employee count threshold are exempt from the full reporting requirements. However, the threshold in the proposed rule was set at a level that captures most federal contractors doing meaningful IT work. Review CISA's final rule when it publishes in September 2026 to confirm whether your firm meets the small business exemption. Do not assume you are exempt until you have verified your status against the final rule text.

Is CIRCIA the same as the existing FAR 52.239-1 cybersecurity clause?

No. FAR 52.239-1 (Privacy or Security Safeguards) is a general safeguarding clause for systems handling federal data. CIRCIA is a separate statutory reporting requirement that applies to covered entities in critical infrastructure sectors regardless of whether their contract includes 52.239-1. CIRCIA adds time-sensitive reporting obligations that do not exist under 52.239-1. You may be subject to both simultaneously.

What is the difference between CIRCIA and the existing DFARS 252.204-7012 incident reporting requirement?

DFARS 252.204-7012 requires defense contractors to report cyber incidents affecting covered defense information (CDI) within 72 hours to DoD's Cyber Crime Center (DC3). CIRCIA requires covered entities in critical infrastructure sectors to report to CISA within 72 hours. These are separate reporting obligations to different agencies. If your firm holds defense contracts and operates in a critical infrastructure sector, you may be required to report the same incident to both DC3 and CISA — each agency's reporting system, format, and point of contact is different.

What counts as a "covered cyber incident" under CIRCIA?

CISA's implementing rule defines covered cyber incident as an incident that meets the substantial cyber incident threshold, which generally includes: unauthorized access to a computer system, significant exfiltration of data, denial of service attacks causing material harm, ransomware attacks, and incidents substantially disrupting business operations. The final rule's specific thresholds will be in the September 2026 publication — monitor the Federal Register and CISA's CIRCIA resources at cisa.gov/circia.

If my cyber insurance carrier pays a ransom on my behalf, do I still have to report it?

Yes. CIRCIA's ransom payment reporting obligation applies to payments made by or on behalf of the covered entity — including payments made by insurance carriers under a cyber policy. The 24-hour clock runs from when the payment is made, not from when you learn it was made. Coordinate with your insurance carrier now to establish a notification protocol that ensures you receive payment confirmation in time to meet the CIRCIA reporting deadline.

Where do I submit CIRCIA reports?

CISA is building a dedicated reporting portal for CIRCIA submissions, separate from the existing voluntary incident reporting portal at cisa.gov. The final rule will specify the submission mechanism. Until the final rule publishes, monitor CISA's CIRCIA implementation page at cisa.gov/circia for portal updates and submission guidance.

Can CIRCIA reports be used against my company in litigation?

CIRCIA includes provisions limiting the use of reports submitted to CISA — they are not admissible as evidence in civil legal proceedings and cannot be shared with state attorneys general for enforcement purposes without restriction. However, the protections apply specifically to CIRCIA reports submitted to CISA. Separate disclosures you make to agencies, contracting officers, or other parties are not necessarily protected under the same provisions. Coordinate with legal counsel before determining what to include in reports to multiple recipients.

Work With a Former CO Who's Been There

Navigating GSA Schedule strategy doesn't have to be a guessing game. Book a free strategy call with Pedro and let's talk about where you stand.

Book a Free Consultation →