Shutdown Stalls Compliance Plans for Cyber Breach Reporting Rule

A partial government shutdown threatens to further derail a key federal cybersecurity agency’s incident reporting rule—and delay answers that companies need to comply.

The Department of Homeland Security shutdown, now entering its third week, may push back the finish line for a Biden-era rule that would create stringent disclosure requirements for critical infrastructure entities after cybersecurity incidents like ransomware attacks.

The lapse in funding came just days after an announcement from the Cybersecurity and Infrastructure Security Agency in February that it wanted additional feedback on the Cyber Incident Reporting for Critical Infrastructure Act rule, which marked the first substantial update on the rule since companies submitted comments in June 2024. At the time, they had largely pushed back against the scope of the regulation.

The rulemaking’s hazy timeline puts companies in a difficult spot: having to prepare to both try and shape the Trump administration’s approach to the rule’s requirements and enforcement plans, as well as the scope, and begin addressing the regulation’s unique compliance demands.

“If you right now don’t have a lot of reporting obligations, but you think you could be affected by the rule, I’d be talking to my security team and figuring out the combination of security and legal to say, ‘What would we need to put in place to have a reporting function that could be done in 72 hours?’” said Megan Brown, co-chair of Wiley Rein LLP’s privacy, cyber and data governance practice.

She added that, for companies who may face some of these reporting obligations for the first time, “There is stuff that they can be doing to get ahead of it, to say, who’s going to do it, who’s responsible for it? How can we get the kind of information that DHS seems to want?”

CISA shuffled its leadership last week, reassigning acting director Madhu Gottumukkala as DHS’ Director of Strategic Implementation where he will focus on cost-saving, according to a senior DHS official. Nick Andersen, the executive assistant director for cybersecurity, will serve as acting director while President Trump’s nominee for director Sean Plankey awaits confirmation.

Shaping CIRCIA

The shutdown prevents CISA from actively monitoring cyber threats to US critical infrastructure and forces the agency to cancel cybersecurity assessments for critical infrastructure, stakeholder trainings, simulation exercises, and other engagements, Homeland Security said on Feb. 17.

A funding lapse also temporarily furloughs about two-thirds of CISA’s 2,540 employees and halts most of the agency’s policy, regulatory, and auditing work. CISA said the government shutdown will also prevent it from holding the town hall meetings it planned in March to gather feedback on the cyber incident reporting rule.

The agency didn’t reply to requests for comment on how it’s re-evaluating the rule’s timeline in light of the shutdown.

Still, companies and industry groups across energy, health-care, financial services, communications and several other sectors are preparing to weigh in on the topics where CISA wants additional feedback. Among other issues, the agency sought suggestions about the types of organizations that would be covered under the rule, the types of incidents they’d have to report, and how the administration can harmonize the rule’s reporting requirements with existing regulations.

“By asking for comments in certain areas, they’ve already pre-signaled those are the areas where they’re considering changes,” said Justin Herring, partner in Mayer Brown LLP’s cyber and data privacy practice. “So in terms of bang for your buck, where are we most likely to move the regulator and influence them? My advice would be: Take them at their word. They’ve said they want to talk about scope. They want to talk about the nature of the information that has to be reported.”

‘Dog That Hasn’t Barked’

The agency hasn’t answered hundreds of companies’ questions about the rule since comment submissions ended in 2024—leaving many with the same questions they had almost two years ago, and not much closer to compliance.

“I still hear from a lot of companies that they would like to see CISA further refine who is in scope for the rule. Now that opinion and how they approach that may differ by business, but that is one topic I hear over and over again that I would expect CISA to receive a lot of feedback on,” said Caitlin Clarke, senior director for cybersecurity services at Venable LLP and former White House cyber official.

Companies already complying with steep reporting obligations—like the European Union’s cyber rules—may be able to rely on existing processes to meet a 72-hour reporting requirement when the rule goes into effect. For others, they’ll have to assign responsibilities in-house, and figure out how to disclose details that are much more technical than what’s required by other US data breach notification rules.

“CIRCIA is a dog that hasn’t barked, it is potentially game changing in moving entities that are used to a 30-45 day reporting window into a much shorter reporting window,” said Edward McNicholas, leader of Ropes & Gray LLP’s data privacy and cyber practice.

Some companies may be caught by surprise if and when the rule kicks in.

“We’ve been pestering our clients with information about CIRCIA and trying to ensure that anyone who would easily fall within critical infrastructure is aware of it,” McNicholas said. “That being said, the lack of clarity on the definition of critical infrastructure makes that very hard. It is difficult to call the client and say that they should be watching this statute in these regulations when it’s not clear that they are covered by it.”