Policy Roast: CIRCIA's 72-Hour Reporting Window Is Already Obsolete
CISA's 72-hour incident reporting rule assumes breaches are discovered instantly. Reality: most take 200+ days to detect.
Policy Roast: CIRCIA's 72-Hour Reporting Window Is Already Obsolete
CISA's Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates that covered entities report substantial cyber incidents within 72 hours of discovery. Ransomware payments get 24 hours. On paper, this sounds reasonable. In practice, it's a policy written by people who've never responded to a real breach.
The Core Problem: Discovery ≠ Detection
The 72-hour clock starts ticking when an organization "reasonably believes" a substantial incident occurred. But here's what CIRCIA ignores: the 2025 IBM Cost of a Data Breach Report found the average time to identify a breach is 204 days. By the time you've confirmed something substantial happened, you've already blown through 4,896 72-hour windows.
Consider a realistic scenario. Your SOC gets an alert on a Monday. Could be noise, could be real. Tuesday, they escalate to incident response. Wednesday, forensics confirms lateral movement. Thursday, you scope the damage. Friday, legal confirms it meets "substantial" criteria under CIRCIA. You've now used 120 hours just to figure out you have a reportable event, and you're already 48 hours late.
What "Substantial" Actually Means (Spoiler: Nobody Knows)
CIRCIA defines substantial incidents as those that lead to:
- Substantial loss of confidentiality, integrity, or availability of a system or network.
- Serious impact on safety and resiliency of operational systems and processes.
- Disruption of ability to engage in business or industrial operations.
Notice the word "substantial" appears in the definition of substantial. This is regulatory circular reasoning at its finest. When your General Counsel asks, "Is 10,000 records substantial?" the answer is: maybe, depending on context, industry, and how CISA feels that day.
Organizations are left guessing whether a security event crosses the threshold. Report too early and you waste CISA's time with false positives. Report too late and you're non-compliant. There's no safe harbor for good-faith reporting errors.
The Ransom Payment Paradox
CIRCIA requires ransom payment notifications within 24 hours. This creates a perverse incentive: if you pay quickly to minimize downtime, you must immediately disclose that payment to CISA, which may trigger additional scrutiny, regulatory action, or public disclosure requirements.
The alternative? Delay payment decisions until you've exhausted all recovery options, extending downtime and increasing business impact. CIRCIA punishes decisive action and rewards institutional paralysis.
What Should Happen Instead
Effective incident reporting policy would:
- Start the clock at containment, not discovery. Once you've stopped the bleeding, you have 72 hours to report. This gives organizations time to understand what they're reporting.
- Provide objective thresholds. "Substantial" should mean specific numbers: X records compromised, Y systems affected, Z hours of downtime. Remove the guesswork.
- Create a safe harbor for good-faith errors. If an organization reports within 72 hours of reasonably determining an incident is substantial, no penalties for threshold misclassification.
- Separate payment notification from incident reporting. Ransom payments should be reported, but on a different timeline that doesn't penalize rapid response decisions.
CIRCIA was supposed to improve information sharing and collective defense. Instead, it's created a compliance minefield where organizations spend more time calculating reporting obligations than actually responding to incidents.
Until CISA revises these timelines to match operational reality, CIRCIA will remain another regulatory checkbox that does little to improve actual cybersecurity outcomes.
