Breaking The Silence in Cyberspace: The Case for a Comprehensive Cyber Incident Reporting Mandate

• Pages: 439-458
• Date: 01 November 2025
• Published date: 01 November 2025
• Author: Justin P'ng

Breaking the Silence in Cyberspace: The Case for a

Comprehensive Cyber Incident Reporting Mandate

Justin P’ng*

ABSTRACT

The enactment of the Cyber Incident Reporting for Critical Infrastructure Act

(CIRCIA) in 2022 has been described as a game-changer for cyber threat man-

agement. Its central and innovative feature is requiring covered entities in des-

ignated critical infrastructure sectors to report cyber incidents and ransom

payments to the Cybersecurity and Infrastructure Security Agency (CISA),

which is broadly responsible for upholding national cybersecurity. But like so

many other cyber incident reporting requirements before it, CIRCIA falls short

of what is ultimately needed to maximize the cyber threat response capabilities

of the U.S. government. This Note argues for a more ambitious and comprehen-

sive cyber incident reporting mandate that broadly applies to entities across the

private and public sector with reporting jointly made to the Federal Bureau of

Investigation (FBI) and CISA. Reforming CIRCIA and expanding its scope with

this broader remit would better optimize the threat intelligence and analysis

necessary for enhancing law enforcement responses to cyber incidents and

improving cybersecurity insights overall.

INTRODUCTION

Nearly a decade after the U.S. government promulgated one of its f‌irst private

sector cyber incident reporting requirements in 2013 for federal defense contrac-

tors,

1

President Biden signed the Cyber Incident Reporting for Critical

Infrastructure Act (CIRCIA) into law in March 2022.

2

Heralded as a “game-

changer” that would “f‌ill critical information gaps” in the cyber threat landscape,

3

Press Release, Jen Easterly, Statement from CISA Director Easterly on the Passage of Cyber

Incident Reporting Legislation (Mar. 11, 2022), https://perma.cc/2BWS-WT5R.

CIRCIA broadly requires covered entities in designated critical infrastructure

sectors to report cyber incidents and ransom payments to the Cybersecurity and

* LL.M., Georgetown University Law Center, 2024; J.D., Osgoode Hall Law School, 2018. Many

thanks to Professor Kimberley Raleigh for her guidance and feedback in developing this piece. © 2025,

Justin P’ng.

1. Under this rule, defense contractors for the Department of Defense are required to report cyber

incidents within 72 hours of their discovery. Defense Federal Acquisition Regulation Supplement:

Safeguarding Unclassif‌ied Controlled Technical Information (DFARS Case 201 1-D039), 78 Fed. Reg.

69,273 at 69,282 (Nov. 18, 2013); see Jessica A. Gunzel, Tackling the Cyber Threat: The Impact of the

DOD’s Network Penetration Reporting and Contracting for Cloud Services Rule on DOD Contractor

Cybersecurity, 46 PUB. CONT. L.J. 687, 698-99 (2017) (describing the “Incident Reporting” system

established by the Department of Defense requiring defense contractors to report cyber incidents).

2. See generally 6 U.S.C. §§ 681-681g.

3.

439

Infrastructure Security Agency (CISA), the agency under the Department of

Homeland Security responsible for national cybersecurity and infrastructure se-

curity.

4

This new mandate capped off several years of dynamic growth in U.S.

cyber incident reporting—as of September 2023, there were forty-f‌ive active

reporting requirements at the federal level distributed between twenty-two agen-

cies across a range of sectors.

5

U.S. DEP’T OF HOMELAND SECURITY, HARMONIZATION OF CYBER INCIDENT REPORTING TO THE

FEDERAL GOVERNMENT 9 (2023), https://perma.cc/8A3S-JAWA [hereinafter CIRC REPORT].

CIRCIA is a welcome development in this broader cyber information sharing

landscape, but it is also a missed opportunity by being both overinclusive and

underinclusive: overinclusive because covered entities in critical infrastructure

sectors will broadly include those already subject to existing reporting rules,

6

See 6 U.S.C. § 681(4) (“The term “covered entity” means an entity in a critical infrastructure

sector, as def‌ined in Presidential Policy Directive 21, that satisf‌ies the def‌inition established by the

Director [of CISA].”); Presidential Policy Directive 21, Critical Infrastructure Security and Resilience

10-11 (Feb. 12, 2013), https://perma.cc/A26L-ZMU6 (identifying 16 critical infrastructure sectors

including communications, f‌inancial services, and healthcare). CISA’s rulemaking under CIRCIA is

also precluded from superseding the cyber incident reporting requirements of other federal agencies. 6

U.S.C. § 681b(h).

and

underinclusive because it sidelines federal law enforcement and omits wide swathes

of cyber incidents that will continue to be chronically underreported.

7

By no means

are these new concerns. The metastasizing patchwork of cyber incident reporting

rules is, after all, what inspired the establishment of the intergovernmental Cyber

Incident Reporting Council (CIRC) under CIRCIA to unravel these tangled threads

and work towards reporting harmonization.

8

The under inclusivity concern, how-

ever, remains unaddressed by CIRCIA and preserves a signif‌icant blind spot to the

collective detriment of U.S. cybersecurity stakeholders.

9

Granted, CIRCIA was

never intended to comprehensively f‌ill the gaps in cyber incident reporting across

the United States. But as one of the more signif‌icant efforts to improve national

cybersecurity through mandatory cooperation, it unintentionally highlights the

limitations of the incremental sectoral approach and the need for a more ambi-

tious framework.

This note argues for a more comprehensive cyber incident reporting mandate

that broadly applies to entities across the private and public sector with reporting

jointly made to the FBI and CISA.

10

This Note adopts the def‌inition of “cyber incidents” set out in Presidential Policy Directive 41,

United States Cyber Incident Coordination (July 26, 2016), https://perma.cc/C9HY-ZXJX (“An event

occurring on or conducted through a computer network that actually or imminently jeopardizes the

Despite being tasked with leading the federal

4. 6 U.S.C § 681b(a). As the lead authority in this process, CISA has up to 42 months from Mar. 15,

2022, to engage in rulemaking and enumerate these reporting requirements before they take effect.

6 U.S.C. § 681b(b).

5.

6.

7. See Federal Bureau of Investigation, 2022 Internet Crime Report at 3 (2022) [hereinafter FBI

Report] (“While the number of reported ransomware incidents has decreased, we know not everyone

who has experienced a ransomware incident has reported to the IC3.”).

8. The Cyber Incident Reporting Council was established by CIRCIA to “coordinate, deconf‌lict, and

harmonize Federal incident reporting requirements.” 6 U.S.C. § 681f(a). See CIRC REPORT, supra note

5, at 2.

9. FBI REPORT, supra note 7, at 2.

10.

440 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 15:439