Three Things to Understand
1. This is not DFARS 7012. CIRCIA is a separate, external regulatory regime — not a contract clause. It covers your whole organization, not just your CUI environment. Your out-of-scope systems are in scope for CIRCIA.
2. An interagency agreement to harmonize reporting is unlikely. The two regimes serve different purposes, cover different information, and have different requirements. The Congressional Research Service said as much in 2024. Don’t count on DoD and CISA working this out on your behalf.
3. The compliance burden is significant and the rule isn’t final yet. Detailed incident reports within 72 hours, ongoing supplemental reporting with no clear end date, and two years of data retention — all enforced by an agency you have no contract with. The town hall on June 18th is your last real chance to push back before the final rule drops.
Remember CIRCIA? The proposed rule would create mandatory cyber incident reporting requirements for more than 300,000 organizations across 16 critical infrastructure sectors, including the Defense Industrial Base. Now CISA is holding a new round of town halls to gather feedback before issuing a final rule. In this episode, we explain why CIRCIA isn’t just another version of DFARS 252.204-7012, the seven biggest differences defense contractors need to understand, and why the upcoming town halls may be the DIB’s best opportunity to influence the final rule.
Transcript
CIRCIA Explained: What Defense Contractors Need to Know
Jacob: All right, folks. It is June of 2026. Do you remember the 2021 Colonial Pipeline ransomware attack? Remember standing in line for gas on the East Coast? Remember how Congress reacted with the Cyber Incident Reporting for Critical Infrastructure Act of 2022? And then remember in 2024 when CISA published a 457-page proposed rule that would create mandatory cyber incident reporting requirements for more than 300,000 organizations across 16 critical infrastructure sectors — including the defense industrial base?
Yeah, nobody remembers that. And that’s kind of the problem.
Back in 2024, we spent an entire podcast explaining that CIRCIA isn’t just another version of DFARS 252.204-7012’s cyber incident reporting requirements. It is a much broader reporting regime — different triggers, broader incident definitions, more information requirements, and significantly longer data preservation requirements. We also said that if CISA and DoD couldn’t reach a formal agreement, this would become a major new compliance burden and legal liability for defense contractors.
Now in 2026, instead of a final rule, CISA has announced a new round of town halls to gather additional feedback. That matters because the defense industrial base represents one of the largest affected populations in the entire proposal — nearly a quarter of all covered entities under CIRCIA are defense contractors. And yet when the proposed rule was released, barely any of the public comments came from the DIB. So if you’ve got opinions about CIRCIA, this is your best opportunity to make them known before the final rule arrives. That’s what we’re talking about today.
Jacob: Jason, in our podcast on the proposed rule, we shouted as loud as we could that the DIB has more covered entities under CIRCIA than any other critical infrastructure sector — nearly 25% of all affected entities are defense contractors. And yet nobody seems to know about it. Fun fact: we shouted so loud that that episode was officially cited in congressional testimony to the House Homeland Security Committee at their hearing on the proposed rule in May of 2024. Link below.
Here we are two years later and people still have no idea what CIRCIA has in store for them.
Jason: Much like every podcast, I hope I didn’t say something terribly embarrassing. But this episode specifically — two years ago — I can probably recite the exact words I said, because I echo the same sentiments now. DFARS 7012 covers essentially three things: the handling of CUI, the protection of CUI, and the reporting of when you fail to handle or protect CUI appropriately. That third part is the most neglected element of DFARS 7012, whether for reputational reasons or otherwise. And here we are, two years later, with people still trying to wrap their heads around just the first two.
Jacob: Yep. It’s right there in the title — 7012: safeguarding the information and reporting the incident requirements.
Jason: Very little progress has been made since that episode, Jacob. And the CIRCIA rule is on the horizon. I don’t think the numbers are going to get much better.
Jacob: I don’t think so either. But that’s why we’re here — raising awareness about the town hall. Also, quick note on 7012: this is exactly why you shouldn’t conflate CMMC and DFARS 7012. CMMC doesn’t have an incident reporting requirement. DFARS 7012 does. If you mix up the two, you can’t speak to CIRCIA intelligently during the town hall. You’re welcome.
7 Key Differences Between CIRCIA and DFARS 7012
Jacob: Let’s get everybody on the same page. Why does CIRCIA matter? What are the differences? First — register for the town hall. Link is in the description. Do that now. Then come back and listen to this.
Difference 1: Different Reporting Triggers
Jacob: At first glance, CIRCIA looks like a duplicate of DFARS 7012’s 72-hour cyber incident reporting requirement. But when you dig deeper, it’s fundamentally different and much larger.
DFARS 7012 says: report incidents that affect a covered contractor information system or the covered defense information residing in that system. You have CUI, you have a system that processes it, something affects one or both — let us know. That’s basically it.
CIRCIA, on the other hand, requires you to report if you have a reasonable belief that you’ve experienced any of the following: a substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network — including OT systems; a serious impact on the safety and resiliency of operational systems and processes; a disruption of your ability to engage in business operations or deliver goods and services; or unauthorized access to your systems or non-public information facilitated through a compromise of a cloud service provider, managed service provider, or supply chain compromise.
There are far more things that would trigger a report under CIRCIA compared to DFARS 7012.
Jason: To break that down — under DFARS 7012, you detect an incident, determine whether it’s substantial enough, and report it if it is. Under CIRCIA, you report as soon as something suspicious possibly happened. If it turns out to be nothing, you say “false alarm.” If it turns out to be something, you’ve already reported it — well before any formal incident response process kicks in. So under CIRCIA you could report something that you ultimately never report under DFARS 7012, and vice versa. You’re juggling two completely different triggers.
Difference 2: Different Scope
Jacob: DFARS 7012 is very specifically focused on CUI. If an incident doesn’t affect CUI data or a covered contractor information system, it’s not reportable. Under CIRCIA, almost any cyber incident you experience as a covered organization — simply by virtue of existing in the defense industrial base as a critical infrastructure sector — is potentially reportable. It doesn’t matter about your CMMC scope or your CUI scope. Your out-of-scope systems, if they experience an incident, are reportable under CIRCIA. Big difference.
Jason: It’s kind of like having to report if your third cousin got a speeding ticket on your background check.
Jacob: That’s an oddly specific example, but yes — they want to know the whole family tree, not just your direct CUI systems. The CMMC scoping guide gives contractors a ton of outs to limit their scope as aggressively as possible. CIRCIA does none of that.
Difference 3: Different Report Contents
Jacob: CIRCIA wants to know about incident timing, impact information, technical details that most defense contractors wouldn’t even understand — let alone be able to provide — threat actor information, mitigation information, and full third-party information about your MSP, MSSP, cloud service provider, and any other third parties involved in discovery or response. None of that is really required in a DFARS 7012 report. The DFARS 7012 report is very basic. CIRCIA reports are extremely detailed and involved — and they want all of that information within 72 hours.
Jason: That’s an extremely fast timeline. A lot of these capabilities in the DIB are going to involve vendors and chains of communication that take time to activate. Specialists have to be brought in. How realistic is that within 72 hours?
Jacob: The real irony is that DoD just wants you to tell them something happened, and they’ll follow up if they want details. They mandate controls that allow you to detect incidents. CISA and DHS, on the other hand, have completely avoided requiring contractors to implement NIST SP 800-171 — we’ve covered this for years — but they want insanely detailed cyber incident reports. So which is it, CISA? You can’t get a detailed report out of contractors if you don’t require them to implement the controls that enable the reporting.
Difference 4: Different Treatment of Ransomware
Jacob: Under DFARS 7012, there are no separate ransomware payment reporting requirements whatsoever. It’s not even mentioned. Under CIRCIA, there is an entirely separate report required — within 24 hours of making a ransomware payment, you need to file a different kind of report, on top of whatever general cyber incident report you’ve already submitted.
Jason: This is kind of counterproductive too, because technically you should already be reporting to CIRCIA the moment anything suspicious happens. So as soon as someone tells you to pay a ransom to get your systems back, you should already be reaching out with a detailed report about that.
Difference 5: Different Reporting Lifecycle
Jacob: Under DFARS 7012, you report the incident and DoD says “we’ll get back to you if we need more information.” Under CIRCIA, the reporting obligations continue until morale improves.
You have to provide an initial report when you have reasonable belief something happened. You have to provide another report when you make a ransomware payment. Then you have to provide supplemental reports anytime there’s a new discovery, a change, or any meaningful development related to the incident — whatever that means. And additional reporting is required anytime significant new information becomes available after that. The rule doesn’t clearly explain when the obligation ends.
Jason: And all of these additional responsibilities carry legal obligations. If you don’t comply, there are penalties. If you don’t have the specialists, the time, or the processes in place — how realistic is any of this?
Difference 6: Different Data Preservation Requirements
Jacob: Under DFARS 7012, you maintain data related to the specific incident you’re reporting for up to 90 days. Under CIRCIA, you have to maintain incident reporting information for two years after your last report — which could be a very long time after the actual incident, given all the chains of supplemental updates you’re required to submit. Much longer data retention under CIRCIA.
Jason: I’m not sure I understand why they need it for that long. If the incident has been investigated and the after-action work is done, why two years?
Jacob: The logic seems to be: of course everyone in a critical infrastructure sector wants to report this information and hold onto it for two years to help national cybersecurity awareness. Of course everyone has the ability, the money, the time, and the know-how to do that. Of course they do. Why is everyone yelling at us?
Difference 7: Different Enforcement Mechanisms
Jacob: Under DFARS 7012, it’s a contractual requirement — so the remedies are contractual. Non-compliance can trigger False Claims Act exposure, issues with DCMA, problems winning new awards. People are familiar with those.
Under CIRCIA, you don’t have a contract with DHS or CISA. This is a purely regulatory requirement being imposed on the DIB by an external agency. If you don’t comply, they can subpoena you, refer you to the DOJ, or pursue other enforcement actions. This isn’t just contract terms — it’s an actual regulatory regime. And that’s something the DIB hasn’t really experienced before. The unique thing about cyber regulations in the DoD space is that they’ve always been contract clauses. CIRCIA is the first time the DIB will face an external regulatory framework that isn’t just a contract clause.
Jason: Is this going to become part of the same FCA conversation? Another route to enforcement for non-compliance?
Jacob: DHS and CISA are waving around a statutory justification from the CIRCIA statute saying Congress wants this information and if you don’t provide it, they’re prepared to do whatever it takes to get it. They’re carrying a pretty big stick.
Can Defense Contractors Avoid CIRCIA?
Jacob: So can we get around this? I don’t feel confident that CISA and DoD are going to reach a formal agreement that eliminates the second reporting requirement for defense contractors. The rule does mention that if CISA and the other agencies reach a formal agreement to share existing reporting, that would remove the secondary requirement. But these are fundamentally different reporting regimes — different information, different scope, different data retention. And this population represents 25% of everyone they expect to be reporting to them.
The Congressional Research Service agrees. In their 2024 report on the rule, they concluded that it seems unlikely federal regulators will relinquish their specific reporting requirements in deference to CISA, because existing regulations and the proposed CISA rule serve different purposes.
I’ve asked DoD about this multiple times over the years — including asking the Under Secretary for Cyber Policy just a few months ago. I get either a shrug or a blank stare. Anecdotally, I do not feel confident there’s going to be an agreement reached here at all.
Jason: It requires a lot of agencies to collaborate and compromise, and that’s historically not something that happens smoothly. I can see why CIRCIA exists — Colonial Pipeline showed what happens when critical infrastructure gets hit. But applying this level of compliance to every defense contractor, including small mom-and-pop shops, feels like an overreach.
Jacob: That’s actually a great point for a future episode. CISA is regulating 300,000 companies instead of 13 million because for every other critical infrastructure sector they carve out small businesses — except for the defense industrial base. If you want to know how they reached that conclusion, let us know in the comments and we’ll do another episode.
Jason: I would actually like to know that answer.
Jacob: I would like to subscribe to more rulemaking facts.
The Town Halls — Act Now
Jacob: So — if you didn’t think at the start of this episode that you needed to tune into the town hall and share your feedback, maybe you do now.
The CIRCIA final rule was expected in the first half of 2026. Instead, CISA is asking for more input. The critics are going to argue the scope is too broad, the information requirements are unrealistic, harmonization isn’t working, and the compliance burden is too high. The supporters will argue that the government can’t identify patterns of cybersecurity issues across critical infrastructure if it never sees them — and that better visibility leads to better collective defense. CIRCIA is intended to function as a national cyber warning system that Congress explicitly mandated in statute.
Contact
Speak With Our Team
Our team of compliance and cybersecurity experts are on standby and ready to help. We’ll walk you through what you need and what to expect.