The most common CIRCIA question I hear isn’t about reporting timelines. 

It’s simpler… and it usually comes from the people who want a clean answer. 

Are we actually a covered entity? 

Boards ask it. Insurers ask it. Procurement asks it. And in the middle of an incident, someone will ask it again, usually when you have the least time to debate it. 

The best move is a short coverage memo that documents how you evaluated applicability under the proposed rule. When you have the right details on hand, you can typically draft this in about 30 minutes. 

CISA lays out a practical Step 1, Step 2, Step 3 framework you can use to structure that memo.  

If you haven’t read the broader context yet, start here: 
circia-2026-covered-entities-what-to-do-now

The goal: a defensible coverage memo in 30 minutes 

A coverage memo doesn’t need to be long. It needs to be clear, specific, and easy to defend later. 

Aim for three things: 

  • What sector do you operate in 
  • Whether you cross any proposed thresholds 
  • Any exceptions, affiliations, or edge cases that change the answer 

That’s it. 

If you can document those points with a few links and a few facts about your organization, you stop guessing, and you stop re-litigating the question every quarter. 

Step 1: Sector criteria, where CISA looks first 

CIRCIA applies to entities in the nation’s 16 critical infrastructure sectors. Step 1 is simply identifying whether you operate in one of them.  

CISA’s official sector list is here: 
https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors 

For most organizations, the “yes” answers show up in familiar places: 

  • Healthcare and public health 
  • Energy 
  • Water and wastewater systems 
  • Information technology 
  • Communications 
  • Government facilities 

Education often enters the conversation through public-sector infrastructure and supporting services, especially when shared services, funding models, or third-party platforms are involved. 

If you can’t confidently map your organization to a sector, pause and document why. That’s still useful, and it keeps your memo honest. 

CISA’s proposed applicability logic lives in the Notice of Proposed Rulemaking for 6 CFR Part 226.  
https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements 

Step 2: Size and threshold criteria, the common tripwires 

Once you align with a sector, Step 2 is where most organizations get surprised. 

This step examines size thresholds or operational indicators that CISA proposes using to focus reporting on entities whose incidents could meaningfully disrupt services.  

Here are the thresholds that recur in real-world coverage discussions. 

Education 

One proposed indicator is the number of education agencies serving 1,000 or more students 

That often includes: 

  • K–12 school districts 
  • Charter networks 
  • Regional education service agencies 

K–12 guide: 
circia-k12-covered-entity-72-hours 

Higher ed guide: 
circia-higher-ed-title-iv-reporting 

State, local, tribal, and territorial government 

A commonly referenced threshold is jurisdictions serving 50,000 or more residents.  

This can include: 

Counties, cities, regional authorities, and the shared services that support public safety and public-facing operations. 

County and city guide: 
circia-county-city-covered-entity 

Utilities and critical services 

Coverage indicators can depend on regulatory relationships and operational role. Common examples include: 

  • Electric utilities with reporting relationships to sector regulators (including NERC or DOE references in sector criteria discussions)  
  • Community water systems serving more than 3,300 people  

Electric utilities guide: 
circia-electric-utility-ot-readiness 

Water systems guide: 
circia-water-wastewater-runbook  

Why the “small entity” question keeps showing up 

Many proposed thresholds tie back to Small Business Administration size standards. That’s why your NAICS code and “small vs. not small” status can matter in coverage analysis.  

SBA Table of Size Standards: 
https://www.sba.gov/document/support-table-size-standards 

Step 3: Exceptions and edge cases, where coverage gets messy 

Some organizations don’t fit neatly into a yes-or-no answer, even after Step 1 and Step 2. 

This is where you see cases like: 

  • Regional service authorities 
  • Shared services or consortia 
  • Multi-jurisdiction IT operations 
  • Vendor-managed environments 
  • Outsourced infrastructure providers 

In those scenarios, coverage can hinge on control relationships, operational responsibility, and how “size” gets calculated across related entities. SBA affiliation rules can influence that analysis, especially when entities are controlled by, or closely tied to, other organizations.  
https://www.ecfr.gov/current/title-13/chapter-I/part-121/subpart-A/subject-group-ECFRd133f03f6d8398b/section-121.103 

Your memo doesn’t need to resolve every nuance. It should document the facts that drive the nuance: 

  • Ownership structure 
  • Service territory or population served 
  • Operational responsibility (who runs what) 
  • Regulatory relationships 
  • Key vendor dependencies 

The goal isn’t perfection. It’s defensible documentation that you can update as the rule evolves. 

Build your coverage packet 

Think of this as your “one folder” that supports conversations with leadership, insurers, auditors, and incident response partners. 

A simple packet usually includes: 

Organizational information 

  • Legal entity name 
  • NAICS classification 
  • Ownership structure and related entities 

Operational scope 

  • Population served, student enrollment, service territory 
  • Primary services delivered to the public 
  • Oversight or regulatory bodies 

Infrastructure role 

  • Systems that support essential operations 
  • Dependencies with other organizations 
  • Vendor relationships and escalation contacts 

NAICS lookup: 
https://www.census.gov/naics/ 

If you want a faster way to collect these details, use the worksheet in the CIRCIA 72-Hour Ready Kit. 

If you’re unsure, operate as if covered for 90 days 

Many organizations land in a gray area until the final rule clarifies edge cases. When that happens, the lowest-regret approach is to behave as if you’re covered for a short readiness window. 

This is not about buying new systems. It’s about tightening the basics: 

  • Establish a reporting timeline and escalation triggers 
  • Centralize log collection and key evidence sources 
  • Document vendor escalation paths and response expectations 

NIST’s incident response guidance is a solid backbone for this, especially if you want a lightweight process you can actually run under pressure.  
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf 

For budget-friendly logging improvements, CISA’s Logging Made Easy is worth reviewing.  
https://www.cisa.gov/resources-tools/services/logging-made-easy 

Low-cost readiness guide: 
low-cost-circia-readiness-report-ready 

Next step: build your incident timeline 

Determining coverage is Step 0. The operational work starts right after. 

CIRCIA’s statutory deadlines are driving teams to standardize workflows now, especially the 72-hour clock for covered cyber incidents and the 24-hour clock after a ransomware payment.  
https://www.law.cornell.edu/uscode/text/6/681b 

Next guide: 
circia-72-hour-unified-timeline 

Conclusion: document first, optimize later 

The biggest mistake organizations make with coverage is waiting for perfect certainty. 

A better approach is simple: 

  1. Evaluate sector alignment 
  1. Review proposed thresholds 
  1. Document your rationale 

Once that memo exists, you can move forward with readiness work without turning every incident discussion into a coverage debate.