Photo of Kate GrowleyPhoto of Michael G. Gruden, CIPP/GPhoto of Matthew FerraroPhoto of Jacob CanterPhoto of Jacob HarrisonPhoto of Bryan Dewan

On February 13, 2026, the U.S. Department of Homeland Security (DHS) announced upcoming virtual town hall meetings scheduled for March 2026 regarding the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  The meetings will allow industry stakeholders to provide input to DHS to refine the “scope and burden” of the forthcoming CIRCIA final rule.

CIRCIA, signed into law in March 2022, requires DHS to issue regulations obligating “covered entities” operating in specific critical infrastructure sectors to report cyber incidents and ransom payments made in response to a ransomware attack to DHS’s Cybersecurity and Infrastructure Security Agency (CISA).  Critical infrastructure sectors within CIRCIA’s scope include communications, critical manufacturing, defense industrial bases, energy, financial services, food & agriculture, healthcare & public health, information technology, nuclear, transportation, and others.  DHS published a proposed rule in April 2024 and indicated that a final rule would follow within 18 months, but the March town halls mark the first CIRCIA regulatory action in nearly two years. 

How to Attend

The schedule for the upcoming town hall meetings, provided by DHS, is below.  Those interested in attending can register at www.cisa.gov/circia.

Sector-Specific Town Halls

  • Chemical Sector; Water and Wastewater Sector; Dams Sector; Energy Sector; and Nuclear Reactors, Materials, and Waste Sector—March 9, 2026
  • Commercial Facilities Sector; Critical Manufacturing Sector; and Food and Agriculture Sector—March 12, 2026
  • Emergency Services Sector, Government Facilities Sector, Healthcare and Public Health Sector—March 17, 2026
  • Communications Sector; Transportation Systems Sector; and Financial Services Sector—March 18, 2026
  • Defense Industrial Base Sector and Information Technology Sector—March 19, 2026

General Sessions

  • General Session 1: March 31, 2026
  • General Session 2: April 2, 2026

Topics to be discussed

DHS’s announcement identified specific topics on which it is interested in receiving industry feedback, including:

  • Potential approaches to harmonizing CIRCIA’s reporting requirements with other federal and state government cyber incident reporting regimes to avoid potential duplications or conflicts.
  • Fine-tuning who will be considered “covered entities” under the rule.
  • Examples of what would qualify as a substantial cyber incident under the rule.
  • Content of reports.

Conclusion

CIRCIA rulemaking, when final, will likely impose new, mandatory cyber incident reporting requirements on hundreds of thousands of U.S. entities operating across a wide variety of industry sectors.  As the March townhalls could be the last chance for industry to weigh in on and potentially shape the final rule, entities operating in impacted sectors should strongly consider participating.  For questions about the town halls, CIRCIA and cyber incident reporting requirements more broadly, please contact our team.

Tags: Cybersecurity, government contracts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Read more about Kate Growley
Show more Show less
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Matthew Ferraro Matthew Ferraro

Matthew F. Ferraro is a partner in Crowell & Moring’s Privacy and Cybersecurity Group, where he helps clients address complex regulatory matters at the intersection of advanced technology, national security, and crisis management. He advises leading organizations on high-impact matters related to artificial

Matthew F. Ferraro is a partner in Crowell & Moring’s Privacy and Cybersecurity Group, where he helps clients address complex regulatory matters at the intersection of advanced technology, national security, and crisis management. He advises leading organizations on high-impact matters related to artificial intelligence (AI) and other emerging technologies, cyberattacks, domestic and international privacy compliance, internal investigations, foreign direct investment reviews, and high-stakes crises.

Before joining the firm, Matthew served as the Senior Counselor for Cybersecurity and Emerging Technology to the Secretary of Homeland Security. As a principal advisor to the Secretary and a member of the U.S. Department of Homeland Security’s leadership team, he served at the heart of U.S. government policymaking around AI and cybersecurity. He assisted in the development and drafting of key AI, cyber, and technology policies and regulations; advised on the deployment of AI to fulfill the department’s missions; and counseled on cyber-incident responses and investigations. Matthew also helped establish and served as the Executive Director of the Artificial Intelligence Safety and Security Board, a flagship public-private advisory committee focused on AI’s use in critical infrastructure and chaired by the Secretary and composed of industry, nonprofit, and government luminaries.

Read more about Matthew Ferraro
Show more Show less
Photo of Jacob Canter Jacob Canter

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent…

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent, as well as general complex commercial matters.

Jacob graduated from the University California, Berkeley School of Law in 2018, where he launched Berkeley’s election law outreach program and pro bono project. He joins the firm after a year of practice at an international law firm in Washington, D.C., and a year clerking in the Southern District of New York for the Hon. Lorna G. Schofield. Jacob was exposed to and provided support in a variety of complex substantive and procedural legal topics during the clerkship, including trade secrets, insurance/reinsurance, contracts, class actions, privacy, intellectual property, and arbitrability.

Read more about Jacob Canter
Show more Show less
Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Read more about Jacob Harrison
Show more Show less
Related Posts
FedRAMP Proposes Updates to Authorization Process—Six New RFCs Released for Public Comment
January 22, 2026
An ITAR-ly Critical Reminder of Cybersecurity Requirements: DOJ Settles with Swiss Automation, Inc.
December 29, 2025
From Yellow Jackets to Red Flags: DOJ Stings Georgia Tech for Alleged Cybersecurity Noncompliance
October 15, 2025