Register for the EDUCAUSE Annual Conference today. Extra 25% off in-person registration, through July 8. →

CISA Announces Town Hall Meetings on CIRCIA Regulations

Authors:
Bailey Graves
Published:
Thursday, March 12, 2026
Columns:
Policy
min read


The Cybersecurity and Infrastructure Security Agency has announced a series of virtual town hall meetings to seek additional input on proposed regulations under the Cyber Incident Reporting for Critical Infrastructure Act.

Update: The article below notes that the Department of Homeland Security (DHS) shutdown due to a lack of FY26 funding might affect the town hall meeting schedule. The Cybersecurity and Infrastructure Security Agency (CISA) has since suspended the schedule due to the shutdown. The agency intends to release a new schedule after DHS funding has been restored. CISA also states that it will likely delay even further the release of the regulations for which the town hall meetings are being called as a result of the shutdown.

On February 13, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) published a Federal Register notice announcing a series of virtual town hall meetings as part of the ongoing Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rulemaking process.Footnote1 The sessions are intended to provide stakeholders with an additional opportunity to provide input on the CIRCIA Notice of Proposed Rulemaking (NPRM) published in 2024.

Background on CIRCIA

Signed into law in 2022, CIRCIA directs CISA to develop regulations mandating "covered entities"—those within critical infrastructure sectors—to submit reports of covered cyber incidents within seventy-two hours of becoming aware of the incident. CIRCIA also directs the regulations to require covered entities to report ransom payments within twenty-four hours.Footnote2

In April 2024, CISA released an NPRM outlining its CIRCIA regulatory framework.Footnote3 EDUCAUSE was surprised to learn that the NPRM classified all higher education institutions receiving federal student aid under Title IV of the Higher Education Act (HEA) as covered entities, placing virtually all of higher education under the scope of the regulations. Historically, the Department of Homeland Security (DHS) and CISA had not classified higher education as a critical infrastructure sector, though certain departments within institutions may have fallen under other critical infrastructure sectors, such as health care and defense. In the proposed CIRCIA regulations, however, CISA indicated that it would rely on the Educational Facilities Subsector (EFS) within the Government Facilities Sector (GFS)—one of the sixteen federally designated critical infrastructure sectors—to designate all Title IV institutions as "covered entities" subject to mandatory federal cyber incident reporting requirements.

The EDUCAUSE Response to the NPRM

EDUCAUSE submitted comments in response to the NPRM in July 2024, and in June 2025, EDUCAUSE sent a letter to CISA reiterating its concerns regarding the proposed regulations.Footnote4 In both letters, EDUCAUSE and the higher education community urged CISA to reconsider its decision to designate higher education writ large as covered entities under the proposed rule.

The letters also raised concerns around the level of outreach CISA engaged in. EDUCAUSE noted that higher education institutions and associations had little reason to engage before the publication of the NPRM because the higher education community had not previously been treated as critical infrastructure. Additionally, EDUCAUSE was not aware of any outreach that CISA had conducted to leadership at higher education institutions or professional organizations during statutorily required stakeholder outreach activity prior to the NPRM.

The Town Halls

According to the Federal Register notice, CISA is holding several sector-specific and general town halls between March and April. Through the meetings, CISA is seeking actionable input for improving the final rule in order to clarify or lessen the burden of CIRCIA's requirements while strengthening federal insight into cyber threats facing critical infrastructure. CISA outlined several areas for feedback in the notice, including the proposed sector-based criteria for identifying covered entities. CISA also indicated that it will not reopen the formal comment period at this time but may consider doing so if warranted.Footnote5

The town hall meeting for GFS stakeholders will be held virtually on March 17, 2026, at 11 a.m. ET. Two general town hall meetings will also be held virtually at 11 a.m. ET on March 31 and April 2. Individuals can register for the meetings using the links above for each date. Please note that due to the ongoing partial shutdown at the Department of Homeland Security, nonessential operations are halted as of this writing. The meeting dates may change as a result. EDUCAUSE will keep members informed of further updates.

Looking Ahead

CIRCIA set a statutory deadline for the CISA regulations to be finalized in October 2025. That deadline was missed. The most recent Regulatory Agenda lists May 2026 as the target publication date for the final rule.Footnote6 Given the announcement of the town halls, staff reductions at the agency, and the partial shutdown for the Department of Homeland Security, it appears unlikely that a final rule will be released in May 2026.

EDUCAUSE will continue to participate in the rulemaking process and keep members informed of potential changes to cyber incident reporting requirements for higher education institutions.

Notes

  1. Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, "Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Rulemaking; Town Hall Meetings,"Federal Register 91, no. 30 (February 13, 2026).Jump back to footnote 1 in the text.
  2. Cyber Incident Reporting for Critical Infrastructure Act of 2022, Pub. L. No. 117–103, div. Y, § 101, 136 Stat. 1038, 1038 (2022).Jump back to footnote 2 in the text.
  3. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, "Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements," proposed rule, Federal Register 89, no. 66 (April 4, 2024): 23644–23776.Jump back to footnote 3 in the text.
  4. Jarret Cummings, "EDUCAUSE Pushes Back on Proposed Cyber Incident Reporting Regulations," EDUCAUSE Review, July 23, 2024; Kathryn Branson, "EDUCAUSE Reiterates Concerns over CISA's Cyber Incident Reporting Proposed Rule," EDUCAUSE Review, August 14, 2025.Jump back to footnote 4 in the text.
  5. Cybersecurity and Infrastructure Security Agency,"Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Rulemaking; Town Hall Meetings."Jump back to footnote 5 in the text.
  6. U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, "Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, September 2025. Jump back to footnote 6 in the text.

Bailey Graves is a Senior Associate at Ulman Public Policy.

© 2026 EDUCAUSE. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License