CISA, CIRCIA and TSA pipeline rules: 2026 cyber duties for US critical infrastructure operators

In September 2025 CISA confirmed that the final rule for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is being pushed from October 2025 to May 2026, even as PRC-linked Salt Typhoon operators continued to sit inside Verizon, AT&T, T-Mobile and Lumen networks for one to two years before discovery in September 2024. The Senate Commerce Committee concluded in December 2025 that the United States cannot prove the intruders have actually been evicted.

That is the political weather every CISO and OT security lead at a US critical-infrastructure operator now plans against. The reporting clocks already in force - SEC Item 1.05 of Form 8-K (four business days from materiality), NYDFS 23 NYCRR Part 500 (72-hour incident notice, 24-hour ransom notice), HIPAA breach notice (60 days), the FTC Safeguards Rule (30-day FTC notice for breaches affecting 500+ consumers) - collide with the pending CIRCIA 72-hour incident and 24-hour ransom-payment rules. Pipeline, rail and water operators face an additional OT overlay from TSA SD02F and EPA advisories.

The question every operator wants answered: which obligations actually bind today across the 16 critical-infrastructure sectors, how do CISA's Cybersecurity Performance Goals (CPGs) map to NIST CSF 2.0, and what does the operational runbook look like when an incident hits at 02:00 on a Saturday? This piece walks through it sector by sector, with the dates, fine amounts and statutory cites you can take into a board meeting on Monday.

The CIRCIA statute, enacted in March 2022, applies to covered entities operating in any of the 16 critical-infrastructure sectors defined by Presidential Policy Directive 21. CISA's April 2024 Notice of Proposed Rulemaking estimates roughly 316,000 covered entities once the size and sectoral thresholds are applied.

The core duties are three. First, a covered entity must report a covered cyber incident to CISA within 72 hours of reasonably believing one has occurred. Second, it must report a ransom payment within 24 hours, even if no covered cyber incident has been determined. Third, it must preserve relevant data and file supplemental reports as new information becomes available. Statutory FOIA and data-protection exemptions attach to material submitted under CIRCIA, which matters when general counsel weighs the calculus against SEC voluntary disclosure on Form 8-K Item 8.01.

The covered-incident threshold is unsettled. The April 2024 NPRM defined a "substantial cyber incident" to include any event materially affecting confidentiality, integrity or availability of an information system, with carve-outs for events caused solely by good-faith security researchers. Thousands of comments objected to the breadth. The May 2026 final rule is widely expected to narrow scope, but the February 2026 DHS appropriations lapse forced cancellation of CISA town halls and further slippage is plausible.

Until the final rule lands, prudent practice is to build the runbook to the NPRM definition and tighten as the final rule clarifies. The statute itself carries no direct monetary penalty, but failure to report can trigger a CISA Director-issued request for information, subpoena, civil contempt referral to the Department of Justice, and under the proposed rule potential acquisition or contract bars - a material risk for any operator with federal contracts. Pair the CIRCIA workflow with a hardened incident response capability through VAPT services and round-the-clock detection from 24x7 SOC monitoring so the 72-hour and 24-hour clocks do not start before the SOC has notified general counsel.

CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) are voluntary, but every federal regulator with cyber jurisdiction now uses them as the operational floor for what a reasonable security program looks like. NIST CSF 2.0 added a sixth function (Govern) and is the language boards understand.

The mapping is direct. CPG 1.A (Asset Inventory) sits under CSF 2.0 ID.AM. CPG 2 (Identity and Access Management, including MFA and unique credentials) aligns with PR.AA. CPG 3 (Vulnerability Management, including disabling macros by default and patching known exploited vulnerabilities) maps to ID.RA and PR.IR. CPG 4 (Supply Chain) sits squarely under GV.SC, the new Govern function's supply-chain category that the WEF Global Cybersecurity Outlook 2026 flagged as the binding constraint after third-party share of breaches doubled from 15 percent to 30 percent year on year.

The pragmatic move for a CISO is to publish one control-mapping matrix that ties each CPG to the CSF 2.0 subcategory, the relevant sectoral overlay (NERC CIP for bulk-electric, TSA SD02F sections for pipelines, HIPAA 164.308 for healthcare), and the internal control owner. That document becomes the single source of truth for the SEC Reg S-K Item 106 annual disclosure of cybersecurity risk-management processes, the NYDFS Section 500.17(b) CISO board report, and the CIRCIA supplemental-report narrative.

The Govern function deserves separate budget. The 2026 WEF data showed that governance maturity, not headcount or tooling spend, predicts cyber resilience. A CISO who walks into the board with a CPG-to-CSF matrix, a quantified gap list, and a remediation roadmap has done the work the SEC's October 2024 enforcement sweep penalized Unisys, Avaya, Check Point and Mimecast for skipping.

Pipeline operators have been under direct TSA cyber jurisdiction since the Colonial Pipeline shutdown in May 2021. Security Directive SD02F took effect 3 May 2025, continuing mandatory OT/ICS cyber requirements for owners and operators of hazardous-liquid and natural-gas pipelines.

The hard requirements include: a TSA-approved Cybersecurity Implementation Plan; network segmentation between IT and OT enforced by deny-by-default policy; access controls including MFA for remote access to OT systems; continuous monitoring of the OT network for anomalous behavior; a Cybersecurity Incident Response Plan exercised annually; and an annual Cybersecurity Assessment Plan. SD02F also requires reporting of cyber incidents to CISA, which will become the same channel as CIRCIA's 72-hour requirement once the final rule lands, eliminating one source of duplicate reporting.

The November 2024 TSA NPRM would codify the security directives into a formal rule for surface transportation. Rail operators face parallel directives, and passenger aviation operators face IT and OT directives that have tightened iteratively since 2021. Each directive carries TSA civil-enforcement authority.

For water and wastewater systems, the EPA's attempt to mandate cyber assessments was vacated by the courts in 2023. Congressional proposals to restore EPA authority are pending. In the meantime CISA's water-sector advisories and joint guidance from CISA, FBI and EPA on PRC-linked threat activity are the operative reference. Volt Typhoon pre-positioning in power, water and transport systems is the political driver. Operators should not wait for a final rule before commissioning penetration testing services against the OT perimeter and Purdue Level 2-3 segments.

Energy-sector operators face one of the most mature cyber regimes in the US. The North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP) standards have been enforced for years, with incremental updates including CIP-013-2 (supply chain), CIP-003-9 (low-impact assets) and CIP-014 (physical security).

The current obligations for any responsible entity owning or operating bulk electric system (BES) cyber assets are layered. CIP-002-5.1a requires categorization of BES Cyber Systems as high, medium or low impact. CIP-005-7 requires electronic security perimeters with intermediate systems for interactive remote access. CIP-007-6 mandates ports-and-services baselines, patch management within evaluation windows, security event monitoring and account management. CIP-010-4 governs change management and configuration monitoring, including vulnerability assessments for high and medium impact systems. CIP-013-2 requires supplier risk management plans and is an active area of audit findings in 2025.

Penalties run through the FERC-approved violation severity levels and base penalty matrix, with multi-million-dollar settlements published in NERC's public Notice of Penalty filings.

The interaction with CIRCIA is straightforward. NERC's existing EOP-004-4 reporting and the DOE OE-417 form remain the primary energy-sector incident channels, but CIRCIA layers a federal reporting duty on top for incidents that meet the covered-incident threshold. The April 2024 NPRM contemplates a substantial-equivalence provision so that NERC CIP reporting can satisfy CIRCIA in part, but no operator should assume relief until the final rule confirms it. Where Volt Typhoon-style pre-positioning is in the threat model, attack simulation against the OT-DMZ and remote-access stack is now standard board expectation.

Healthcare operators are designated critical infrastructure under PPD-21 and are simultaneously subject to one of the oldest cyber regimes in the country. The HIPAA Security Rule sits at 45 CFR Parts 160 and 164. The Office for Civil Rights' Risk Analysis Initiative, announced in 2024 and continued under the new administration, made enterprise-wide risk analysis under §164.308(a)(1)(ii)(A) the most-cited failure in 2024-2025 enforcement.

OCR published an NPRM on 6 January 2025 (90 FR 898) proposing the first material Security Rule overhaul in more than twenty years. Proposed requirements include mandatory MFA for access to electronic protected health information, mandatory encryption at rest and in transit, mandatory network segmentation between systems handling ePHI, and a mandatory asset inventory updated at least annually.

The Change Healthcare breach exposed protected health information of roughly 192.7 million individuals - the largest US healthcare breach ever. IBM's 2025 Cost of a Data Breach Report put the average healthcare breach cost at $7.42 million, the highest of any sector. Throughout 2025 OCR settled four ransomware investigations, with settlement amounts ranging from $80,000 to $250,000 and three-year corrective action plans. The April 2026 quad-settlement totaled $1.165 million across four entities. The pattern is consistent: the regulator's root-cause finding in every case was an inadequate enterprise-wide risk analysis.

For healthcare CISOs, the practical implication is that the §164.308 risk analysis must be a live document, refreshed at least annually and after any material change to the environment, with traceability from each identified risk to a specific safeguard. Couple that with breach-notice obligations: 60 days to affected individuals and OCR, plus media notice for breaches of 500 or more. Where the asset inventory and risk register are thin, an external VAPT engagement often becomes the fastest path to a defensible §164.308 record.

Financial-services operators sit at the busiest reporting intersection. The SEC's cybersecurity rules - Item 1.05 of Form 8-K and Reg S-K Item 106 - apply to all SEC-registered public companies, with smaller reporting companies phased in from 15 June 2024. Item 1.05 requires disclosure of a material cybersecurity incident within four business days of the materiality determination, with delay permitted only on US Attorney General national-security certification.

The May 2024 Corp Fin guidance from Director Erik Gerding clarified that Item 1.05 is for material incidents only, and that voluntary disclosure of non-material incidents should use Item 8.01. The October 2024 enforcement sweep imposed civil penalties of $4 million on Unisys, $1 million on Avaya, $995,000 on Check Point and $990,000 on Mimecast for materially misleading cybersecurity disclosures tied to the SolarWinds compromise. The District Court for the Southern District of New York dismissed the bulk of SEC claims against SolarWinds and CISO Tim Brown on 18 July 2024, and the SEC voluntarily dismissed the remaining claims with prejudice on 20 November 2025. SEC Chair Paul Atkins's Cyber and Emerging Technologies Unit (CETU, announced February 2025) signals continued enforcement on fraud and investor-harm theories but retreat from novel internal-controls and individual-CISO theories.

NYDFS 23 NYCRR Part 500 is the parallel state-level regime for entities operating under a New York DFS license. The final tranche of the 2023 amendment took effect 1 November 2025, including universal MFA for all individual accounts, full asset inventory, and encryption of nonpublic information. Part 500.17 requires 72-hour incident notice to NYDFS, 24-hour notice of ransom payment plus a 30-day explanatory filing, and annual CISO and CEO certification of compliance. The Healthplex consent order of 14 August 2025 imposed a $2 million civil penalty. Cumulative Part 500 penalties have totaled more than $144 million across 27 consent orders since 2021, with $63.3 million in 2024-2025 alone.

The non-banking financial-services slice falls under the FTC Safeguards Rule (16 CFR Part 314). The 30-day notification requirement to the FTC, effective 13 May 2024, applies to any notification event affecting 500 or more consumers' unencrypted information. Notices are published in a public FTC database. The GoDaddy consent order finalized 21 May 2025 and the Marriott/Starwood final consent order of 20 December 2024 (parallel state-AG settlement: $52 million paid to 49 states plus DC) are the live enforcement reference points.

The ransom-payment clocks are now the sharpest operational risk. NYDFS requires notice within 24 hours of payment. CIRCIA, once final, will require notice within 24 hours of payment regardless of whether a covered cyber incident has been determined. Treasury OFAC's September 2021 updated advisory remains the operative guidance on sanctions exposure for ransomware payments, and OFAC has been willing to issue civil-monetary penalties against payers who failed to conduct adequate due diligence on the recipient wallet's affiliation with sanctioned persons.

The interpretive question no public guidance has resolved: when does paying a ransomware affiliate's wallet constitute prohibited dealings with a sanctioned person, particularly under ransomware-as-a-service models where infrastructure is shared across affiliates of varying sanctions status? Operators are building their runbooks around a worst-case assumption: assume the wallet is sanctions-linked and document the OFAC due-diligence trail (chain-analytics report, sanctions screening of wallet clusters, FBI engagement) before any payment authorization.

The full runbook for hour zero through hour 72 looks like this. Hour 0 to 2: SOC declares incident, activates IR plan, notifies CISO and general counsel, begins evidence preservation. Hour 2 to 6: scope assessment, classification under the CIRCIA covered-incident threshold and SEC materiality criteria, vendor notifications. Hour 6 to 24: external IR firm engaged under privilege, FBI Field Office notified for ransomware events, OFAC due-diligence kicked off if payment is being considered, NYDFS 72-hour clock noted if applicable. Hour 24 to 48: materiality-determination committee convened for SEC reporting, sectoral overlays activated (NERC EOP-004-4, TSA, HIPAA), affected-individuals enumeration begun. Hour 48 to 72: CIRCIA 72-hour report drafted and filed to CISA, NYDFS notice filed if applicable, SEC Item 1.05 draft circulated for board approval if materiality is reasonably probable.

The companion artifact every general counsel now wants is a written information-flow protocol that names the materiality-determination committee, the escalation tree, and the documentation standard for each clock. The 2024 SEC enforcement actions punished companies whose internal information flow failed to surface the magnitude of the incident to disclosure decision-makers. 24x7 SOC monitoring with documented escalation playbooks is the operational backbone that makes the runbook executable.

The most useful structure for a CISO walking into a 2026 budget conversation is an eight-week sprint that produces audit-ready artifacts. Week 1 to 2: complete the CPG-to-CSF 2.0 mapping with control owners and gap status. Week 2 to 3: refresh the asset inventory and confirm MFA coverage across all individual accounts (the NYDFS Part 500 November 2025 standard is the de facto benchmark). Week 3 to 4: rerun the enterprise-wide risk analysis with documented evidence per HIPAA §164.308 or sectoral equivalent.

Week 4 to 5: tabletop the CIRCIA, SEC, NYDFS and HIPAA reporting clocks against a Salt Typhoon-style intrusion scenario, with general counsel and the external IR firm in the room. Week 5 to 6: commission an external penetration test of the OT or production network, with NERC CIP-010 or TSA SD02F evidence packaging. Week 6 to 7: refresh supplier risk management plans under CIP-013-2 or equivalent and document the third-party SaaS and identity attack surface (a 2026 Vorlon survey found 99.4 percent of organizations experienced a SaaS or AI security incident in 2025). Week 7 to 8: draft the Reg S-K Item 106 annual disclosure narrative and the NYDFS Section 500.17(b) CISO board report from the same source data.

For US operators looking for offshore delivery capacity to compress that sprint without sacrificing regulator-mapped evidence quality, Certbar Security operates as a CERT-In empanelled VAPT, SOC and compliance partner from Surat and Mumbai. The Indian time-zone window provides natural overnight SOC coverage for North American operators, and our reporting artifacts are designed to map directly onto CSF 2.0 subcategories, NYDFS Part 500 sections, and the NPRM's CIRCIA reporting fields. For boards weighing AI-related disclosure risk under the SEC's CETU mandate, an AI risk assessment tied to NIST AI RMF and ISO 42001 controls is the cleanest evidence trail.

The breach math is unforgiving. The Marriott settlement closed at $52 million across 49 states plus DC. Texas alone extracted $1.375 billion from Google in May 2025. The four-company SEC sweep cost roughly $7 million in penalties plus disclosure-controls findings that will sit in the comment-letter file for years. Against those numbers, the cost of a defensible reporting runbook and a regulator-mapped control program is the cheapest line item on the 2026 cyber budget.