Do you remember the 2021 Colonial Pipeline ransomware attack, or how Congress reacted with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)?
What about when in 2024 the Cybersecurity and Infrastructure Security Agency (CISA) published a 457-page proposed rule to create mandatory cyber incident reporting requirements for more than 300,000 organizations across 16 critical infrastructure sectors, including the Defense Industrial Base (DIB)?
You probably didn’t remember, and that’s a DIB-wide problem.
Back in 2024, we spent an entire podcast explaining that CIRCIA wasn't just another version of Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, but a fundamentally different, much broader rule.
We said that if CISA and the Department of War (DoW) couldn't reach a formal reporting agreement, this would become a major new compliance burden (and legal liability) for defense contractors.
Fun fact: this Sum IT Up podcast episode was officially cited in congressional testimony to the House Homeland Security Committee in a May 2024 hearing.
CISA has recently announced a new round of town halls to gather additional feedback and refine the scope of the proposed rule.
The DIB represents nearly one quarter of all covered entities but added very few public comments when the rule was proposed initially.
These town halls are the best opportunity to make your opinions about CIRCIA known before the final rule arrives.
Supporters argue:
The government cannot identify patterns it never sees.
Better visibility leads to better collective defense.
CIRCIA is intended to function as a national cyber warning system.
Critics argue:
The scope is too broad.
The information requirements are unrealistic.
Harmonization between DFARS 7012 and CIRCIA reports may not work.
The compliance burden is too high.
Here we are, two years in, and people still have no idea what CIRCIA has in store for them. Let’s get everyone on the same page about why it matters.
At first glance, CIRCIA just looks like a duplicate of DFARS 7012’s 72-hour cyber incident reporting requirements. However, when you dig deeper, CIRCIA reporting is fundamentally different and much larger. CIRCIA and DFARS 7012 differ in:
Report triggers
Report scopes
Report contents
Treatment of ransomware
Report Lifecycles
Preservation requirements
Enforcement mechanisms
DFARS 7012 requires contractors to report incidents “that affect a covered contractor information system or the covered defense information residing therein.”
CIRCIA requires contractors to report incidents if you have a “reasonable belief” that you’ve experienced either:
A substantial loss of confidentiality, integrity, or availability of a covered entity's information system or network (including OT systems);
Unauthorized access to a covered entity's information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider (MSP), other third-party data hosting provider, or a supply chain compromise.
Under DFARS 7012, everything revolves around Controlled Unclassified Information (CUI) systems. If it doesn’t affect the CUI or a covered system, it’s not reportable.
Under CIRCIA, almost any cyber incident you experience as a covered organization must be reported.
The quickest way to explain the differences between DFARS 7012 and CIRCIA reporting requirements is that:
With DFARS 7012, the DoW asks, “Who are you, what contract is affected, what happened, and did it impact Covered Defense Information (CDI) or operationally critical support?”
With CIRCIA, CISA asks, “What can the Federal government learn from this incident to understand and defend against broader cyber threats?”
DFARS 7012 reporting fields focus on establishing:
Which contractor
Which facility
Which contract
Which program
Which government customer
CIRCIA explicitly seeks:
Indicators of compromise
Vulnerabilities exploited
Threat actor information
Operational disruption
Business interruption
Safety impacts
Resiliency impacts
MSP involvement
Cloud provider involvement
Supply chain compromise information
Ransom payment details
Ongoing updates
DFARS 7012 has no separate ransom payment reporting requirement.
Under CIRCIA, you must report ransom payments separately within 24 hours.
Under DFARS, a contractor reports the incident in a single instance, and the DoW follows up if they need additional information.
With CIRCIA, the reporting obligation will continue until morale improves. 🏏💥
Initial report
Supplemental reports
Additional reporting when significant new information becomes available
CIRCIA also has much stronger preservation requirements.
DFARS 7012 requires contractors to maintain incident information for 90 days.
CIRCIA requires contractors to maintain incident information for two years after the incident report is finalized.
DFARS 7012 is enforced by “contractual remedies.” Not reporting under DFARS 7012 subjects you to whatever consequence is listed in the affected contract. These remedies could include termination of the contract or disqualification from future contracts with the awarding body.
CIRCIA is enforced by more aggressive means:
Subpoenas
Department of Justice (DOJ) referrals
Potential enforcement actions
No, we're probably not able to avoid CIRCIA entirely. I do not feel confident that CISA and the DoW will reach an agreement that keeps a second reporting requirements off of defense contractors.
The Congressional Research Service agrees:
“It seems unlikely that federal regulators will relinquish their specific reporting requirements in deference to CISA because existing regulations and the proposed CISA rule serve different purposes.”
The final rule was expected by now, but CISA is asking for more feedback instead. If you're a defense contractor and want to meaningfully contribute to CIRCIA, now is the time to voice your thoughts.
Eventually, the rule will be finalized. At that point, forgetting it just won’t work.
Register for CIRCIA Town Hall sessions. Speak to a Summit 7 expert to start your path to Cybersecurity Maturity Model Certification (CMMC) compliance.