A

All right folks, it is June of 2026 and do you guys remember the 2021 Colonial Pipeline ransomware attack? Anybody out there remember standing in line for gas on the East Coast? Remember how Congress reacted to that little situation with the Cyber Incident Reporting for Critical infrastructure act of 2022? And then remember in 2024 when CISA published a 457 page long proposed rule that would create mandatory cyber incident reporting requirements for more than 300,000 organizations across 16 different critical infrastructure sectors, including the defense industrial base? No. Nobody remember that? Well, that's kind of the problem, right? Back in 2024, we spent an entire podcast explaining that certain CIRCEA wasn't just another version of DFARS clause 252, 204, 7012 cyber incident reporting requirements. It is a much broader reporting regime with different triggers for reporting, broader incident definitions, more information requirements in the reports, significantly longer data preservation requirements after the reporting. We also said that that if CESA and the Department of Defense couldn't reach a formal agreement, then this would become a major new compliance burden and legal liability for defense contractors. But now, in 2026, instead of a final rule, CESA has announced a new round of town halls to gather additional feedback to refine the scope of the proposed rule. And that's important because the defense industrial base represents one of the largest affected populations in the entire proposal. Nearly a quarter of all covered entities under CIA are defense contractors. And yet when the proposed rule was released, very few of the public comments, barely any of them, came from the DIB at all. So if you've got opinions about CIA, this is your best opportunity to make them known before the final rule arrives. And that's what we're going to talk about today. Jason, in our podcast on the proposed rule, we shouted as loud as we could that the defense industrial base has more covered entities under CIRCSIA than any other critical infrastructure sector. Nearly 25% of the affected entities by this rule are defense contractors. And yet nobody seems to know anything about it. In fact, this is a fun fact. We shouted so loud that that podcast episode was officially cited in congressional testimony to the House Homeland Security Committee in their hearing on the proposed rule in May of 2024. Link below. But here we are, two years later, and people still have no idea what CIRCSIA has in store for them.

B

Much like every podcast. I hope I didn't say something terribly embarrassing, right? But this episode specifically two years ago, I. I can probably recite the exact words that I said because I kind of echo some of the same sentiments towards this rule and towards what's happening in the DIV. And that is DFAR 7012 covers essentially three things, Jacob. The handling of CUI, the protecting of CUI, and then this third factor that people seem to let slip their mind and that is the reporting of when you fail to handle or protect CUI appropriately. It actually is as much as we say the implementation of controls is a big problem, it's probably the most neglected part of DFARS 7012, whether for reputational damage or whatever. I could argue that till the cows come home. But here we are, Jacob, two years later. Okay, two years later and people are still trying to wrap their heads around the first two elements that I mentioned. The protection and the handling.

A

Yep. I mean it's in the title. DFAR 712 safeguarding the information and reporting the incident requirements.

B

Well, here's the deal. Very little progress has been made since that episode two years ago, Jacob. And the CIRCSIA rule is on the horizon. I don't think the numbers are going to get much better, buddy.

A

I don't think so. But hey, that's what we're doing here. We're raising awareness about the town hall. I really don't think that a lot is going to change, but you never know. This is an opportunity because the comment period ended a long time ago. So if you didn't know about it back then, here is your chance everybody. Also, just quick note on 7012. This is why. Shame on you all who shame me for saying that CMMC and DFAR7012 are different things. CMMC doesn't have an incident reporting requirement, everybody. DFAR7012 does. So if you mix up the two and don't know the difference, then when stuff like this happens, you can't speak to it intelligently during the town hall. So you're welcome.

B

But I will argue that CMMC requires you. Well, no. 7012 still no, never mind. Still 800 171. No, argument's not there.

A

Well, you know what will I try to help you all try to cover it in a different episode. Cover in a different episode. Anyways, let's get everybody on the same page. Why does C A matter? What are the differences? Then we'll, you know, like I said at at the bottom, first things first register for the town hall. I don't know how many spots they have left. The link for the registration is in the comments. Go down in the description. Go down there and do that right now.

B

If You're.

A

If you don't believe me, wait till you hear this. Okay, so at first glance, Circia looks just like A duplicate of DFARS 701272 hour cyber incident reporting requirement. Right. But when you dig deeper search SIA is fundamentally different and much larger. We have seven differences to go through. What do you know? Right, so the first crazy, right, the first difference. There is a different trigger for cyber incident reports. DFAR7012 says Revolution Report incidents that affect a covered contractor information system or the covered or the covered defense information that resides inside that system. You have the controlled information. You have a system that processes that controlled information. There's an incident that affects one or both of those things, let us know. That's basically it. C On the other hand, you have to report incidents if you have a reasonable belief that you have experienced one of the four following things. A substantial loss of confidentiality, integrity or availability of a covered entity's information system or network, including OT systems. A serious impact on the safety and resiliency of a covered entity's operational systems and processes. A disruption of a covered entity's ability to engage in business industrial operations or deliver goods and services. Unauthorized access to a covered entity's information system or network. Any non public information contained therein and that is facilitated through or caused by a compromise of a cloud service provider, a managed service provider or other third party data hosting provider or a supply chain compromise. There's way more things that would trigger a report under circsia compared to DFAR7012.

B

So just for reference, Jacob, and kind of to break this down a little bit that for 7012 it's you have incident reporting capabilities in place and then you determine whether or not an incident is substantial enough to report it directly up. Right. If the compromise is big enough, you have to report that under Searchia you would have to the alert that triggers you to report the incident. You would have to say something sus possibly happened, we're going to alert it and then if it turns out to be nothing, be like hey, false alarm. But if it turns out to be something, you report it right there at the root of it. This is way before any incident response triggers technically take place in most information systems built in CMC.

A

Yeah, that's right. So here under Circsia, if you have the obligation under Circia and DFARS 7012 you would have to report it first under CIRCSIA because you think something happened, then you find out something didn't happen. So you never reported under DFARS 7012 and vice versa. And it's just a bunch of stuff that you have to juggle because there's different triggers for the reports. But like we talked about in the triggers for reports, it gets to the second difference. There are different scopes for the reports. For DFARS 7012, it's very specifically focused. Everything revolves around CUI and CUI systems. If it doesn't affect the CUI data or a covered contractor information system, then it's not reportable. Under circsia. Almost any cyber incident that you experience as a covered organization by virtue of the fact that you exist in the defense industrial base as a critical infrastructure sector, is reportable. Doesn't matter about your CMMC scope, doesn't matter about your CUI scope. Your out of scope systems, if they experienced incident, are reportable under circsia. Big, big difference.

B

It's kind of like having to report if your third cousin got a speeding ticket on your background check. Right?

A

That's an oddly specific example.

B

But yeah, that's it. They want to know the whole family tree, what incidents are happening there, not just your direct CUI family system. Right. Like yeah, that's the best way to explain the second.

A

The CMMC scoping guide gives contractors a ton of outs to limit their scope as aggressively as possible. CIRCSIA does none of that. So these are completely different things. That gets to the third difference. There are different requirements for what's in the report, the contents of the report. We could do an entire episode just on the details that Circia wants in the reports. But briefly, they want to know about incident timing. They want impact information, they want all the technical information that most defense contractors don't have a prayer of even understanding what they're asking for, let alone providing it. They want threat actor information, they want mitigation information, they want third party information about your msp, your mssp, your cloud service provider, any other third parties that are involved in the discovery process or the response at all, period. None of that is really required in a DFAR 7012 report. The DFARS 7012 report, very, very basic CIRC reports, extremely detailed and involved. And they want all that information within 72 hours, by the way.

B

Yeah, kind of fast expedited timeline like this escalated very quickly in the case of sar. A lot of these capabilities within the CMMC ecosystem and the defense industrial base specifically are going to involve either a vendor or something like that in some sort of chain of communication that's going to have to activate processes specialists and stuff like that have to come in within 72 hours. How realistic is that?

A

Well, the real irony here, right, is that DOD just wants you to tell them if something happened, and they'll get back to you if they want details about what happened. And they want to make sure that you have the ability to report an incident by mandating that you have implemented controls that allow you to detect whether an incident has happened. CISA, on the other hand, and DHS have completely avoided requiring contractors to implement NIST SP 800 171. We've covered this about the DHS CUI rule for years. So they don't want to make it mandatory that contractors have these requirements, but they do want these insanely detailed cyber incident reports. So which one is it, sisa? Do you want them to do the required the cyber stuff to do the reports or not? Because you ain't going to get a detailed report if you don't make the contractors do the stuff that enables the reporting. Pro tip everybody.

B

And then if they stand on business for the detailed reports, how long do they stand on that business before they realize that it's not producing the results that it wants?

A

Yep, yep, yep. Pretty crazy. All right. Fourth difference here, different treatment for ransomware. Specifically, under DFAR 7012, there are no separate ransomware payment reporting requirements at all. There are not even mentioned under circsia, they have an entirely separate report that is required whenever you make a ransomware payment within 24 hours of paying a ransomware actor. You need to issue a different kind of report under C, not just your General Cybersecurity incident report that we talked about earlier.

B

This is kind of counterproductive too, because technically you're supposed to report to CIRCSIA whenever anything SUS happens. So as soon as the Crown Prince contacts you and tells you that you need to pay this ransom to get your system back, you should be reaching out. Right? Like with a detailed report saying, crown Prince, this person says that I need to pay this much money to get my system back or they're going to lock everything up.

A

Yeah. And that gets to the fifth difference. There's a different reporting life cycle on top of the different kinds of reports, the triggers for the reports, and the contents of the reports. Under DFARS, you report the incident and DoD says, We'll get back to you if we need more information. Under circsia, they say the reporting obligations will continue until morale improves. You have to provide an initial report whenever you have reasonable belief. You have to provide an initial report. Whenever you make the payment and then indefinitely, because they don't explain how it ends. You have to provide supplemental reports anytime there's a new discovery or a change or any meaningful thing that occurs related to that incident, whatever the hell that means. And there's additional reporting anytime significant new information becomes available after that.

B

So first and foremost, I apologize for cracking up and losing my bearing, but until morale improves is just one of those terms that just causes me to crack up. Like anybody that has any military, it's like exhibit.

A

And here they're like, yo dog.

B

But yeah, so that, and then just the fact that all of the additional responsibilities. Right. Because there is an obligation legally here for organizations to adhere to this. And if you don't, there is a penalty. Right, Jacob. And so like if I have to do all of these things and all of these things are outside of my capability, I don't have the specialist or the time or the process in place. How realistic is this?

A

Well, let's talk about another thing that you got to end up dealing with. Difference number six, there are different data preservation requirements stemming from incident reports. Under DFARS 7012, you maintain data related to the specific incident that you're reporting for up to 90 days. Under C, you have to maintain the incident reporting information for two years after your last report, which could be way after the incident, thanks to all these chains of supplemental updates that you're required to submit. Much, much longer data retention requirement under CIRCSIA reports compared to DFARS7012.

B

I don't think I'm smart enough to know what exactly drives the reason for them to have to keep it for much longer than 90 days. Right. If we've investigated the incident, we know the background, they produce all of the after action stuff from it. Like we can move on from there, archive it, know that it's there in history. Right. Why for two years?

A

Well, you know, this is, this is NIST levels of innocence and naivete here where they go, of course, everybody that is in a critical infrastructure sector wants to report this information and hang on to it for two years and help the national cyber security awareness problem by everybody supporting this large reporting process. Right. Like of course everybody would want to do that. And they have the ability to do that and they have the money to do that and they have the time and the know how to do that. Of course they would be able to do that. Right, right, of course, everybody. Why is everyone yelling at us? That's sort of what's going on in the rule here.

B

Yeah, Of Course, Plenty of it to go around, right?

A

Yeah. Well, let's get to the last difference here. Number seven, like you mentioned before, different enforcement. So under DFARS 7012, it's a contractual requirement. And so there are contractual remedies. If you don't do it, you have potential False Claims act issues, you have issues with Defense Contract Management Agency winning new awards, so on and so forth. We've covered all those in depth over the years. People are pretty familiar with them. Under circsia, you don't have a contract with the dhs, you don't have contract with cisa. This is purely a regulatory requirement being imposed on the defense industrial base by an external agency. And underneath the rule they talk about, if you don't do it, they can subpoena you, they can refer you to the doj. There's other enforcement actions that they're looking at for people that don't comply with what's going on. This isn't just like it's the terms of your contract. This is a actual regulatory regime that they're trying to impose here, which has been a thing that we haven't really talked about in the defense industrial base very much. Because the unique part about cyber regulations in the DoD is that they are contract terms, not just regulations. This is kind of the first time that the DIB will experience an external regulatory framework that isn't just contract clauses.

B

Do you feel as though that obviously FCAs are something that is budding and growing and things like that? Do you feel like that this is going to be one of those conversations that's talked about once this rule goes into effect? I guess the FTCs, the fail to comply. Right. Another route to the FCA making sure people are adhering to what needs to happen. Like, is it in the same conversation, the same bucket? We're like another unsealing of an FCA case, another FTC case, whatever it may be.

A

I mean, DHS and CISA are out here waving around a statutory justification from the Circia statute that says that we're allowed to ask you for all these things. Congress wants you to tell us these things. And if you don't tell us, we're prepared to do whatever we need to do to get that information. So I don't. I don't know. They're carrying a pretty big stick, right? So, I mean. Yeah, I don't know. I don't know.

B

I guess we'll see.

A

Right? It's. It's a big question mark and one to pay attention to. Okay, so let's get to this idea. Can we avoid this problem? Like, how do we get around this little kerfuffle here? Right. So I don't feel confident that CISA and DOD are going to reach a formal agreement that keeps a second report reporting requirement off of the back of defense contractors. They mentioned in the rule that if CISA and the other agencies reach a formal agreement to share existing reporting with cisa, that would remove this secondary requirement. But like we just talked about, these are fundamentally different reporting regimes. It's different information, it's different scope, it's different data, you know, retention. It's totally different. And this would be 25% of all the people that they expect to give them the reports that. So I don't feel like they're going to, you know, like replace what they're looking for with what DFAR 7012 was asking for back in 2016. And the congressional Research Service agrees with that. They issued a report on the rule back in 2024 and their comment was it seems unlikely that federal regulators will relinquish their specific reporting requirements in deference to CESA because existing regulations and the proposed CESA rule serve different purposes. So as it stands right now, I've asked the DoD this multiple times over the years. I've asked the Undersecretary for Cyber Policy as recently as a few months ago. They either shrug their shoulders or they look at me like they have no idea what I'm talking about. So anecdotally, I do not feel confident that there is going to be an agreement reached here at all. Yeah.

B

So it requires a lot of people to come together. Right. And to collaborate and to compromise and historically, not typically the groups that tend to do that in the best fashion. Right. I did when you were saying that like in that Congressional. The, the statement from the Congressional Research Service pointed something out. It was. They serve different purposes. So from the outside we look. And it's the purpose of incident response.

A

Right.

B

Like 100 identifying incidents and getting after actions and stuff like that to come from it. But then the things that you mentioned in the onset, the Colonial pipeline, between that and then the DIV itself and the DIP's purpose of producing weapons, producing missiles, etc. Etc. And then shutting down a whole pipeline that affects the infrastructure of the entire country to, to function.

A

Right.

B

Planes, gasoline, automobiles, for, for all of that, like I could see where, why that draws bigger importance. The problem is, is I think that it's overarching, you know, like attachment of compliance to people that technically it should apply to those pipelines and things like that. Maybe not. Mom and pop missile fan maker. Right. And so that's just. Sorry, an insertion. They're probably not the best spot.

A

But I mean we probably Let us know in the comments if you're interested in an episode, we can talk about Cease's logic because the reason that they're regulating 300, 000 companies and not 13 million companies is because for every other sector they do a carve out for small businesses except for the defense industrial base. If you'd like to know how they reached that logical conclusion, let us know in the comments and we'll do another episode.

B

But I would like to know this.

A

It's a. It's a fun and wacky adventure.

B

In case the last 92 seconds didn't tell you anything. Yes, I'm actually curious to the answer.

A

Like to subscribe to more rulemaking facts.

B

Click.

A

That brings us to the town halls everybody. So if you didn't think at the beginning that you needed to tune into the town hall and give them a piece of your mind, maybe you do now. So the final rule of CIA was expected now in the first half of 2026. Instead, CESA is asking for more feedback. So the critics are going to argue that the scope is too broad, the information requirements are unrealistic, that harmonization isn't working, that the compliance burden is too high. The supporters of CIA are going to say that the government can't identify patterns of cyber security issues across critical infrastructure if it never sees them, so you have to report them. And that better visibility is going to lead to better collective defense and cyber security. And that CIRIA is intended to function as a national cyber warning system that Congress said they want in a frame freaking statute. So if you're a defense contractor and you've got opinions about Circsia, now is the time to share them on June 18th. Register at the link below because eventually this rule is going to get finalized. And when it is, pretending that it doesn't exist ain't gonna work anymore. So register for the town hall. Let us know if you want to know more about the Circia rule below. Thanks for liking and subscribing. We're at 100, 000 subscribers now, which is super awesome. We'll see you next week.

B

See you next week.