What MSPs Need to Know about CIRCIA Final Rule

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) final rule is expected to be finalized in May 2026, and it's about to change how you support clients in healthcare, financial services, manufacturing, government, and 12 other critical infrastructure sectors.

As part of the rule, covered entities must report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. These aren't suggestions—they're legal requirements backed by potential penalties for non-compliance.

The 72-hour reporting clock creates a real problem for small to mid-market organizations. They need:

• Comprehensive logging across endpoints, networks, cloud infrastructure, and identity systems
• 24x7 monitoring that can detect incidents in real time
• Expert analysis to determine if what they're seeing meets the "substantial" threshold
• Documented procedures for the entire incident response and reporting process

In conversations with MSPs across the country, the most common response is confusion about whether CIRCIA is law or still being discussed. The biggest gaps we're seeing:

• Lack of awareness that CIRCIA is already law, not proposed regulation
• Confusion about the specific requirements and who falls in scope
• Assumption that only Fortune 500 and enterprise organizations are covered

That last one is critical. Small and mid-market organizations absolutely can be covered entities under CIRCIA. The first step in CISA's covered entity determination process identifies critical infrastructure presence regardless of organization size. A small community hospital serving 15,000 people? Covered. A regional IT service provider supporting county elections infrastructure? Covered. A 50-person manufacturing operation engaged in critical production? Potentially covered.

The Opportunity Hidden in the Mandate

Here's where this gets interesting for MSPs. Clients who've been resistant to investing in SIEM, MXDR, or continuous monitoring suddenly have an external driver that makes these services non-negotiable. CIRCIA gives you permission to have harder conversations about security investments that were previously "too expensive" or "not a priority right now."

That compliance-focused client who only cared about checking boxes? They now need operational security capabilities, not just policy documentation. That cost-conscious client who questioned the value of 24x7 monitoring? They're facing legal reporting obligations that require exactly that. Even clients who've never been breached and thought they were safe need these capabilities to avoid non-compliance penalties.

The tight timelines also make it clear that clients can't handle this alone. They need their MSP to provide the monitoring infrastructure, detection capabilities, and expert guidance that makes 72-hour reporting possible. This isn't something they can retrofit after the fact—they need it in place before incidents occur.

Which Industries Fall Into Scope?

CIRCIA covers organizations across 16 critical infrastructure sectors, but the specific criteria are more nuanced than just "are you in healthcare?"

Covered entities include:

• Hospitals and pharmaceutical manufacturers
• Financial services institutions above certain thresholds
• IT service providers supporting federal government or elections infrastructure
• Manufacturing operations engaged in critical production
• State and local government entities serving populations over 50,000
• Communications service providers
• Energy and utilities providers
• Transportation entities
• And others across the remaining critical infrastructure sectors

For MSPs supporting public sector clients, you may be a covered entity yourself. And even if you're not directly covered, your clients' obligations become your obligations when they're counting on you for detection and response capabilities.

The small business exception provides some relief. Organizations that meet SBA small business size standards are exempt from CIRCIA requirements, which takes some of your clients out of scope. But for everyone else who falls into one of the 16 sectors, compliance is mandatory.

Not sure if a client is covered? CISA has published a covered entity fact sheet.

What "Substantial" Actually Means

CIRCIA requires reporting of substantial cyber incidents, which means incidents that lead to:

• Substantial loss of confidentiality, integrity, or availability of information systems
• Serious impact on operational systems and processes
• Disruption of business operations or service delivery
• Unauthorized access facilitated through supply chain compromise (including compromise of your MSP infrastructure)

In practice, reportable incidents include:

• Ransomware that locks clients out of their systems ‍
• Business email compromise resulting in unauthorized wire transfers
• Sustained denial of service attacks lasting more than 12 hours
• Data exfiltration from client environments
• Successful phishing attempts that lead to unauthorized system access (depending on impact)

The challenge is twofold: determining if an incident crosses the "substantial" threshold quickly enough to meet the 72-hour reporting deadline, and gathering the detailed information needed to complete CISA's reporting requirements. You need visibility into what happened, when it happened, what systems were affected, how the attacker gained access, what actions they took, and what data or systems were impacted.

MSPs will need to ensure proper visibility and logging to tell the complete story of the incident and fill out the required reporting material to the fullest extent. Incomplete reports, false claims, or insufficient documentation could trigger scrutiny from CISA or other government agencies. This means your logging infrastructure can't have gaps—you need comprehensive telemetry from all critical systems so you can reconstruct the attack chain when incidents occur.

Your Action Plan: What to Do Now

The good news is there's still time to prepare, but you need to start now. Here's the roadmap based on what's working for MSPs who are ahead of this curve.

1. Identify which clients are covered entities

Use CISA's sector-based criteria to systematically review your client portfolio. Focus initially on:

• Healthcare facilities
• Financial services firms
• Manufacturing operations
• State or local government entities
• IT service providers to government

For each client, document whether they meet the sector criteria and whether the small business exception applies. This gives you a clear picture of which clients face mandatory compliance requirements.

2. Assess current capabilities for covered clients

Evaluate whether they can:

• Collect and retain logs from all critical systems
• Detect unauthorized access, DoS attacks, ransomware, and data exfiltration in real time
• Respond and investigate within 72 hours
• Document everything for compliance reporting

Most clients will have significant gaps, particularly around 24x7 monitoring and expert incident analysis.

3. Integrate all data sources into SIEM immediately

Don't slow roll SIEM deployment or take a phased approach to log integration. You need complete visibility across all systems to satisfy CIRCIA's monitoring requirements. Prompt integration of all data sources promotes better visibility, more accurate detection, and faster use case tuning. This is much easier to achieve through managed SIEM and MXDR services than trying to do it yourself with limited security resources.

4. Review and update incident response plans

Every covered entity needs a documented incident response plan that addresses CIRCIA reporting requirements. Review your current IR plans alongside your MXDR provider or security experts for recommendations on accuracy and execution capability.

Key questions to answer:

• Who determines if an incident is reportable?
• Who completes the CISA report?
• Who communicates with the client?
• How do you coordinate with law enforcement if needed?

MSPs should honestly assess their own skillsets, readiness, and processes for executing incident response that includes federal reporting obligations. Do you have the security expertise to make reportability determinations? Can you gather and document all required information within 72 hours? Do you have templates and procedures that align with CISA's reporting format?

The timeline for getting clients ready depends on their existing security posture, but with proper governance and documentation, it should be relatively quick. The key is not treating this as a long-term project but as an urgent capability gap that needs to be closed.

How Todyl Supports CIRCIA Readiness

This is where Todyl's unified platform becomes your competitive advantage. Instead of cobbling together separate tools for SIEM, MXDR, EDR, and GRC—each with its own agent, console, and billing relationship—you deliver comprehensive CIRCIA readiness through a single integrated platform.

Todyl SIEM provides:

• Flexible retention periods that meet compliance requirements
• Managed detection rules continuously optimized by security experts
• Powerful search and investigation capabilities
• Pre-built compliance dashboards

Your clients get the comprehensive monitoring the rule demands without the complexity and cost of traditional SIEM solutions.

Todyl MXDR delivers:

• 24x7 monitoring and threat hunting by skilled security analysts who understand CIRCIA requirements
• Real-time incident notification through your preferred channels
• Expert analysis to determine what's reportable
• Full transparency into detection, investigation, and response activities for CISA reporting

Todyl GRC provides:

• Templatized incident response plans and reporting guidelines
• Centralized documentation that can be stored, housed, and shared
• Streamlined policy and procedure management

A quality incident response plan is a key CIRCIA requirement, and Todyl GRC helps simplify the documentation and governance process.

The unified platform advantage:

• Single-agent deployment reduces complexity across your client portfolio
• Correlated detection across endpoints, networks, and cloud infrastructure
• Integrated case management for streamlined incident tracking and reporting
• Automated compliance documentation reduces administrative burden

Starting the Client Conversation

The key to positioning CIRCIA with clients is framing it as validation for security investments you've already been recommending, not as a new burden to bear. These clients need SIEM and MXDR whether or not CIRCIA existed, because the threats are real and the business impact of incidents is severe. CIRCIA simply makes these capabilities mandatory rather than optional.

When you reach out to covered clients, lead with the business impact. When the final rule goes into effect, they'll face legal obligations to report substantial cyber incidents within 72 hours. The tight timeline requires monitoring and detection capabilities they likely don't have today. You can assess their readiness, identify specific gaps, and implement solutions that achieve compliance while genuinely protecting their business.

Frame this positively. You're not selling them compliance overhead—you're helping them build the security infrastructure that lets them detect and respond to real threats before those threats cause major damage. CIRCIA reporting is just one benefit of having proper visibility into their environment.

The biggest objection you'll likely face is ambiguity about who's in scope. Many clients will assume they're too small or not important enough to be covered. Point them directly to CISA's covered entity fact sheet and decision tree. Work through the determination process together rather than making assumptions. This positions you as a value-added advisor who understands the regulatory landscape, not just a vendor trying to sell services.

Get Started Today

Implementing comprehensive monitoring and detection across a portfolio of clients takes time. You need to deploy logging infrastructure, integrate data sources, tune detection rules, establish SOC procedures, and document response workflows. Clients need to understand their obligations, approve budgets, and work through any technical or operational challenges that come up during deployment.

MSPs who start this process now will have clients ready from day one. Those who wait will be scrambling to retrofit compliance capabilities while already facing reporting obligations for incidents that occur during the transition period.

The federal government has made it clear that visibility into critical infrastructure cyber incidents is now a matter of national security. That visibility depends on covered entities having the monitoring and detection capabilities to know when incidents occur—capabilities that most organizations can only access through their managed service provider.

This is your opportunity to step up, differentiate your services, and deliver real value to clients who need you now more than ever.

Contact our team to discuss how Todyl's unified platform can help you deliver CIRCIA readiness services across your client portfolio. We've worked with MSPs in all 16 critical infrastructure sectors and can share proven strategies for positioning and implementing these capabilities.