top of page
Search

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

Impact Brief for Emergency Services Leadership


The Cybersecurity and Infrastructure Security Agency (CISA) is finalizing regulations under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The rule will require certain critical infrastructure entities to report covered cyber incidents and ransom payments to the federal government.


CISA has scheduled sector-specific town halls in March 2026, including one for the Emergency Services Sector.


Why This Matters to EMS & Fire Agencies

Emergency Services are included in the rulemaking engagement process. If finalized as proposed, many public safety agencies may be designated as covered entities subject to federal reporting requirements.


Entities that could be impacted include:

·       Fire-based EMS agencies

·       County EMS systems

·       Emergency Services Districts (ESDs)

·       911 / PSAP operations

·       Larger private EMS providers


What May Trigger Federal Reporting?

Potential reportable events may include:

·       Ransomware impacting CAD or dispatch systems

·       ePCR system compromise

·       Billing platform breach

·       Mobile data terminal compromise

·       Network outage caused by malicious activity

·       Payment of ransom (including through insurance carrier)

These requirements would be in addition to HIPAA breach reporting, Texas breach notification laws, insurance carrier notification, and law enforcement engagement.


Operational Impact During an Incident

Covered entities may be required to submit formal reports within defined federal timeframes, provide technical details, preserve forensic evidence, and submit supplemental updates.

For smaller departments, this introduces additional administrative burden, legal review requirements, and executive-level involvement during crisis response.


Governance & Board-Level Implications

CIRCIA elevates cyber incidents from operational IT issues to federally reportable compliance obligations. Boards and Commissioners should anticipate formal designation of reporting authority, updates to incident response plans, documentation requirements, and higher cybersecurity maturity expectations.


Strategic Opportunity

While CIRCIA increases regulatory responsibility, it also strengthens federal visibility into threats targeting public safety, enhances intelligence sharing, and supports justification for cybersecurity funding.


Recommended Next Steps

1.      Determine whether your agency meets size or sector-based criteria.

2.      Update your Cyber Incident Response Plan to include federal reporting triggers.

3.      Assign responsibility for CIRCIA compliance.

4.      Coordinate with legal counsel and cyber insurance provider.

5.      Ensure logging and documentation practices support reporting obligations.


Executive Summary

CIRCIA will likely require many EMS and fire agencies to federally report significant cyber incidents and ransom payments, elevating cybersecurity from operational IT management to a board-level compliance responsibility.


Link to Federal Register: DEPARTMENT OF HOMELAND SECURITY 6 CFR Part 226 [Docket ID: CISA-2022-0010] 2026-02948.pdf


Need to talk further? Contact us at info@emscyber360.com


 
 
 

Recent Posts

See All

Comments

 

© 2025–2026 EMSCyber360, LLC. All rights reserved.

EMSCyber360 provides cybersecurity, governance, and operational risk advisory services exclusively for Emergency Medical Services and public safety organizations.

  • Linkedin
  • X
  • Slack
  • RSS
App store
Google Play

Legal & Compliance

Privacy Policy

Terms of Use

HIPAA Security Notice

EMSCyber360 provides cybersecurity advisory and education services for emergency medical services and public safety organizations. This website does not provide legal or medical advice.

bottom of page