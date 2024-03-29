President Joe Biden signed CIRCIA into law in March 2022, and that set a timer for the US Cybersecurity and Infrastructure Agency (CISA), which had two years to propose a rule.

As proposed, the 447-page rule [PDF] would require organizations that fall under any of the United States' 16 critical infrastructure sectors to report "substantial cyber incidents" within 72 hours of discovering them. This essentially includes any digital intrusion that leads to substantial harm, poses a significant threat to the organization's ability to function, or threatens national security, public health, or safety.

It also would require these organizations to report ransom payments within 24 hours.