The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is a U.S. federal law enacted in 2022 as Title LXVII of the National Defense Authorization Act for Fiscal Year 2023. It mandates covered entities in 16 critical infrastructure sectors to report substantial cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of awareness and ransomware payments within 24 hours. The law aims to improve federal visibility into cyber threats, enhance incident response, support threat intelligence sharing, and protect national security and economic interests by requiring detailed reporting on incident details, impacts, and mitigation efforts. CIRCIA also authorizes CISA to issue regulations, share reported information with other agencies, and impose civil penalties for non-compliance, with implementation rules finalized in 2024.