🇺🇸 Live Medical Devices & Diagnostics

CIRCIA — Cyber Incident Reporting for Critical Infrastructure Act (2022)

Requires US critical infrastructure operators to report significant cyber incidents to CISA.

View official source document

13

Rules extracted

159

Obligations decomposed

12.2x

Avg obligations per rule

🇺🇸 United States

Jurisdiction

About this regulation

CIRCIA was enacted as part of the Consolidated Appropriations Act of 2022 (Division Y). It requires covered entities in the 16 critical infrastructure sectors identified under Presidential Policy Directive 21 (PPD-21) to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. CISA published a Notice of Proposed Rulemaking (NPRM) on April 4, 2024, with final rules expected by mid-2026. The law also establishes information sharing protections, subpoena authority, preservation requirements, and interagency coordination mechanisms.

What AuditDSS covers

Source

1

Regulation

Extracted

13

Rules

Decomposed

159

Obligations

12.2x

Decomposition ratio

Each rule is decomposed into an average of 12.2 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 159 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in CIRCIA is scored across independent risk dimensions:

W

Obligation Weight

How critical within the regulatory framework

L

Violation Likelihood

How often breached in practice

E

Enforcement Evidence

Regulator enforcement history and penalties

C

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title
CIRCIA — Cyber Incident Reporting for Critical Infrastructure Act (2022)
Regulatory body
Cybersecurity and Infrastructure Security Agency
Jurisdiction
🇺🇸 United States
Document type
statute
Effective date
March 15, 2022
Issuing authority
United States Congress / Cybersecurity and Infrastructure Security Agency (CISA)
Industry
Medical Devices & Diagnostics
Official source
View source document ↗

Who this applies to

covered entities in 16 critical infrastructure sectorscritical infrastructure operatorsfederal agencies

Key requirements

  • 72-hour cyber incident reporting
  • 24-hour ransomware payment reporting
  • supplemental reporting
  • data preservation for 2 years
  • cooperation with CISA

Frequently asked questions about CIRCIA

What is CIRCIA?
CIRCIA was enacted as part of the Consolidated Appropriations Act of 2022 (Division Y). It requires covered entities in the 16 critical infrastructure sectors identified under Presidential Policy Directive 21 (PPD-21) to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. CISA published a Notice of Proposed Rulemaking (NPRM) on April 4, 2024, with final rules expected by mid-2026. The law also establishes information sharing protections, subpoena authority, preservation requirements, and interagency coordination mechanisms.

Who does CIRCIA apply to?
CIRCIA applies to covered entities in 16 critical infrastructure sectors, critical infrastructure operators, federal agencies.

How many obligations does CIRCIA contain?
AuditDSS has decomposed CIRCIA into 159 atomic obligations from 13 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of CIRCIA?
The key requirements include: 72-hour cyber incident reporting, 24-hour ransomware payment reporting, supplemental reporting, data preservation for 2 years, cooperation with CISA.

How can I assess my CIRCIA compliance?
Upload your compliance policy to AuditDSS. The platform maps your document against all 159 CIRCIA obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces CIRCIA?
CIRCIA is enforced in United States by Cybersecurity and Infrastructure Security Agency.

When did CIRCIA come into effect?
CIRCIA became effective on March 15, 2022.

What industry does CIRCIA apply to?
CIRCIA is primarily relevant to the Medical Devices & Diagnostics industry. AuditDSS covers 64 regulations in this industry sector.

Build a CIRCIA compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for CIRCIA — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering CIRCIA requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine CIRCIA with other regulations into a single unified compliance pack for your business.

Build CIRCIA compliance pack

Already have a policy? Assess it against CIRCIA

1

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

2

AI maps against 159 obligations

Your document is scored against every obligation in CIRCIA. Each claim is mapped to the obligation tree and evaluated for coverage.

3

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.

Related regulations in Medical Devices & Diagnostics

🇺🇸 Live

Anti-Kickback Statute

38 rules, 1,238 obligations
🇦🇺 Live

ACL

13 rules, 211 obligations
🇦🇺 Live

AU Climate Disclosure

10 rules, 52 obligations
🇦🇺 Live

Fair Work Act 2009

16 rules, 260 obligations
🇦🇺 Live

Modern Slavery Act 2018

9 rules, 135 obligations
🇦🇺 Live

Privacy Act 1988

29 rules, 203 obligations
🇦🇺 Live

SOCI Act 2018

10 rules, 32 obligations
🇦🇺 Live

TGA Act 1989

13 rules, 199 obligations

Assess your CIRCIA compliance

Upload your document and get a risk-scored gap analysis against 159 CIRCIA obligations in under 5 minutes.

Start assessment Browse all regulations