Cybersecurity - United States

Signed into law March 2022, CIRCIA requires CISA to promulgate rules mandating covered critical-infrastructure entities to report cyber incidents within 72 hours and ransom payments within 24 hours. The NPRM was published April 4, 2024; the final rule was targeted for May 2026 but faces further delay due to DHS appropriations lapses.

Adopted July 26, 2023 and effective December 2023, SEC rules require public companies to disclose material cybersecurity incidents on Form 8-K within four business days of a materiality determination, and to provide annual disclosures of cybersecurity risk-management processes and governance in Form 10-K.

Non-banking financial institutions (mortgage lenders, payment processors, tax preparers, etc.) covered by the Gramm-Leach-Bliley Act must notify the FTC within 30 days of a security breach affecting 500 or more consumers. This breach-notification amendment took effect May 2024.

HHS published a Notice of Proposed Rulemaking on January 6, 2025 to strengthen HIPAA's Security Rule, proposing stricter technical safeguards for electronic protected health information (ePHI), mandatory encryption, and enhanced incident-response requirements for covered healthcare entities and their business associates.

NIST CSF 2.0 (published February 2024) added a 'Govern' function and supply-chain emphasis; though voluntary for the private sector, it is referenced in federal procurement requirements. Executive Order 14144 (January 2025) and EO 14306 (June 2025) extended federal agency requirements around secure software development (SSDF), post-quantum cryptography transition, and third-party software accountability.

A Federal Register rule published December 15, 2025 addresses cybersecurity threats to the nation's communications systems, extending sector-specific obligations to telecommunications providers under FCC authority.