Module: 01h — CIRCIA: Cyber Incident Reporting for Critical Infrastructure Difficulty: Intermediate

Questions

Q1. Under CIRCIA, within how many hours must a covered entity report a covered cyber incident to CISA after reasonably believing the incident occurred?

  • A) 24 hours
  • B) 48 hours
  • C) 72 hours
  • D) 96 hours

Correct answer: C Explanation: CIRCIA's covered cyber incident reporting clock is 72 hours, running from when the entity reasonably believes a covered incident occurred. "We're still investigating" does not stop this clock.

Q2. CIRCIA's ransomware payment reporting deadline is the tightest cybersecurity reporting deadline in U.S. law. How many hours does a covered entity have to report a ransom payment to CISA?

  • A) 72 hours after the incident is confirmed
  • B) 48 hours after payment is made
  • C) 24 hours after making any ransom payment
  • D) 30 days after the payment clears

Correct answer: C Explanation: The 24-hour ransomware payment clock runs from making any ransom payment, regardless of whether a covered cyber incident report was already submitted. This is separate from — and tighter than — the 72-hour incident reporting clock.

Q3. CIRCIA was enacted on March 15, 2022, as part of what larger legislative vehicle?

  • A) The National Defense Authorization Act, FY2022
  • B) The Consolidated Appropriations Act, 2022
  • C) The Infrastructure Investment and Jobs Act
  • D) The American Data Privacy and Protection Act

Correct answer: B Explanation: CIRCIA was signed by President Biden on March 15, 2022, as part of the Consolidated Appropriations Act, 2022. It is administered by CISA within the Department of Homeland Security.

Q4. Which presidential policy directive defines the 16 critical infrastructure sectors that determine CIRCIA covered entity status?

  • A) Presidential Policy Directive 8 (PPD-8)
  • B) Presidential Policy Directive 41 (PPD-41)
  • C) Presidential Policy Directive 21 (PPD-21)
  • D) National Security Directive 42 (NSD-42)

Correct answer: C Explanation: A covered entity is any organization that owns or operates assets in one of the 16 critical infrastructure sectors designated under Presidential Policy Directive 21 (PPD-21). The analysis starts with sector classification, not company size.

Q5. A hospital discovers it is a CIRCIA covered entity facing both a ransomware attack (payment made) and a covered cyber incident. What deadline governs if the entity submits a combined report?

  • A) The 72-hour incident deadline, because it was triggered first
  • B) The 24-hour payment deadline, because it is the tighter constraint
  • C) A 48-hour compromise deadline set by the NPRM
  • D) Neither — combined reports are prohibited under the NPRM

Correct answer: B Explanation: When a covered cyber incident is also a ransomware attack, the entity may submit a combined report — but the 24-hour ransomware payment deadline controls, as it is the tighter of the two clocks.

Q6. CIRCIA's safe harbor provisions distinguish it from all U.S. state breach notification laws. Which of the following is NOT a protection provided by CIRCIA's safe harbor?

  • A) CIRCIA reports cannot be used by federal agencies as the basis for regulatory action against the reporting entity
  • B) CIRCIA reports are protected from FOIA disclosure
  • C) A CIRCIA report cannot be construed as an admission of fault or a violation of law
  • D) CIRCIA reports are protected from disclosure to law enforcement agencies

Correct answer: D Explanation: CISA will share CIRCIA reports with relevant sector risk management agencies and law enforcement. While the FOIA protection and regulatory-action bar are real, CIRCIA's safe harbor does not shield reports from law enforcement visibility — DOJ will see the reports.

Q7. Under CIRCIA's enforcement framework, what happens if CISA believes a covered entity experienced a covered cyber incident but failed to report it?

  • A) CISA may immediately assess civil penalties without further process
  • B) CISA may issue a subpoena to compel reporting, with DOJ referral for non-compliance
  • C) CISA refers the matter directly to the SEC for enforcement
  • D) CISA publishes the entity's name on a public non-compliance registry

Correct answer: B Explanation: CIRCIA gives CISA subpoena authority to compel reporting from entities that failed to report. Failure to comply with a CISA subpoena results in referral to the Department of Justice for enforcement action, and civil penalties are available for subpoena non-compliance.

Q8. Unlike the CFAA's civil suit threshold, CIRCIA's covered cyber incident reporting trigger has what financial floor?

  • A) $5,000 minimum loss, matching CFAA
  • B) $50,000 minimum loss
  • C) $1,000,000 minimum loss for critical infrastructure
  • D) No minimum financial loss threshold

Correct answer: D Explanation: CIRCIA does not propose a minimum financial loss threshold. The trigger is the nature of the incident, not the dollar amount — unlike CFAA's $5,000 loss requirement for civil suits.

Q9. The "substantially similar reports" provision in CIRCIA addresses entities with existing sector-specific reporting obligations. What does this provision permit?

  • A) Covered entities may delay CIRCIA reporting by 30 days if they file with a sector regulator first
  • B) A comparable incident report already filed with another federal agency (FERC, TSA, FRB, etc.) may be submitted to CISA as the CIRCIA report
  • C) Covered entities are fully exempt from CIRCIA if they have an existing sector reporting obligation
  • D) CIRCIA reports to CISA automatically satisfy all state breach notification obligations

Correct answer: B Explanation: If a covered entity already filed a comparable incident report with another federal agency (such as FERC, TSA, FRB, OCC, FDIC, or HHS), that report may be submitted to CISA as the CIRCIA report — avoiding duplicative reporting for entities with existing sector-specific obligations.

Q10. CIRCIA's NPRM was published on April 4, 2024. As of the module's publication, what is the expected status of the final rule?

  • A) The final rule was published in December 2024 as originally scheduled
  • B) The final rule is expected in May 2026, after a February 2026 Federal Register notice and sector town halls
  • C) The NPRM was withdrawn and CIRCIA rulemaking restarted under a new administration
  • D) The final rule has indefinitely delayed the 72-hour and 24-hour reporting clocks

Correct answer: B Explanation: The NPRM was published April 4, 2024 (188 pages). A February 13, 2026 Federal Register notice announced March 2026 sector town halls to refine scope and burden. The final rule is expected May 2026, delayed from the original 2025 target. The 72-hour and 24-hour clocks remain stable in the NPRM.