By David Bernstein, J.D. Candidate, 2026
On March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law.1 Bipartisan lawmakers championed the legislation in response to the growing number of cyber intrusions against critical infrastructure.2 In particular, the May 2021 ransomware attack against the Colonial Pipeline was a “watershed moment” that laid bare how cyber incidents can have rippling impacts on the American economy and people’s daily lives.3
CIRCIA mandates the Cybersecurity and Infrastructure Security Agency (CISA) develop regulations requiring entities in the sixteen critical infrastructure sectors specified in Presidential Policy Directive 21 to report cyber incidents to CISA within seventy-two hours of when they believe the incident occurred.4 CISA is directed to provide “a clear description” of what specific entities will be required to report cyber incidents based on the probability and magnitude of malicious cyber disruptions.5
Space is not enumerated as a critical infrastructure sector that will be covered by the proposed rules; however, some satellite operators may be required to report cyber incidents because they are integral to critical infrastructure operations, most obviously in sectors such as communications and financial services. CISA should resist the temptation to require that all satellite operators report cyber incidents because not all space assets support critical infrastructure. By properly scoping these reporting requirements, CISA can encourage industry compliance with reporting requirements and focus its efforts on responding to high severity cyber incidents.
CISA Rulemaking Process
CISA is expected to publish a Notice of Proposed Rulemaking (NPRM) soon and must issue a final rule by September 15, 2025.6 As CISA develops these proposals, it should focus on the scope of the proposed regulations: which “covered entities” will be required to report cyber incidents?7
Comments from around the business community emphasize two primary adverse consequences of an overly broad definition of “covered entities.” First, Business Roundtable warns that requiring too many entities to report cyber incidents could result in “uncertainty” and an “undue burden on private sector entities,” especially those that do not operate critical infrastructure.8 Experts project that “58,000 additional active satellites could be launched by 2030,” more than ten times as are currently in orbit.9 CISA may stifle commercial space innovations should all entrants in the New Space economy be required to comply with stringent reporting requirements even if they do not enable critical infrastructure missions, such as research and localized monitoring satellites. Second, the U.S. Chamber of Commerce cautions that requiring too many entities to report cyber incidents “could risk creating unintended noise in the system that detracts from protecting critical infrastructure.”10 If CISA required all satellite operators to disclose cyber incidents, it would need to process and respond to potentially thousands of breaches on commercial satellites. An overly broad reporting regime could stretch the agency too thin and risk deprioritizing responses to the most significant incidents. Similar concerns have been raised by the Cybersecurity Coalition, CTIA (a trade association representing the wireless industry), and other industry groups.11
Additionally, CIRCIA required that the Secretary of the Department of Homeland Security (DHS) issue a report on duplicative federal cyber incident reporting standards.12 DHS found that there are “45 different federal cyber incident reporting requirements created by statute or regulation currently in effect or final agency guidance.”13 These standards impact varying sectors, have different reporting standards, and impose differing penalties for failure to comply.
Considerations for the Space Sector
The catastrophic potential impacts of cyber incidents on space infrastructure are well documented.14 Beyond the strategic threats of hacking Global Positioning Systems that are crucial to global military operations, disruptions of commercial satellites could have rippling effects that impede all functions of the global economy from shipping to electronic financial transactions.15 According to expert analyses, a global shutdown of satellite networks through massive cyber-attacks would immediately ground flights, stop trains, delay emergency response services, and make cash-dispensers inoperable; soon after, global financial transactions would halt and blackouts would be widespread.16 While this scenario is extremely unlikely, it is important to recognize the myriad of ways that modern life relies on space infrastructure. Indeed, Sam Costa, a counterintelligence officer, noted that “while space is not designated technically as critical infrastructure, I think we can all agree that all of the critical infrastructure sectors rely on space.”17
While satellites are essential to all critical infrastructure operations, not all satellites enable critical infrastructure functions. For example, some weather monitoring satellites are necessary for the operation of critical infrastructure systems, while others may not be. A satellite monitoring for hurricane activity that could impact energy and chemical facilities in the Gulf Coast may be essential to prevent catastrophic societal impacts, whereas a research satellite monitoring the earth’s poles may not be considered as essential. CISA should not require the latter satellite operator to disclose cyber incidents, or else CISA may be inundated with responding to breaches that do not directly impact critical infrastructure.
However, experts from the Cyberspace Solarium Commission 2.0, the Information Sharing and Analysis Center, and the Space Foundation have called for space to be designated as the seventeenth critical infrastructure sector.18 Rep. Ted Lieu recently introduced bipartisan legislation on this matter, albeit with only four cosponsors.19 While legislative action is unlikely and the Biden administration is reportedly not pursuing this route, CISA should not require all satellite operators to comply with the same reporting standards as the established sixteen critical infrastructure sectors.20
CISA must scope these rules properly to cover space assets that enable critical infrastructure operations without imposing overly burdensome requirements across the entire space industry. The Aerospace Industries Association has cautioned that deeming space as a critical infrastructure sector is unnecessary and unwise, for “many space-based capabilities and their enabling infrastructure are already considered within critical infrastructure sectors, such as the critical manufacturing, communications, defense industrial base, government infrastructure, and transportation systems sectors.”21 Experts have thus cautioned that designating space as the seventeenth critical infrastructure sector and imposing additional cybersecurity requirements across the entire sector may stifle commercial innovation and impose unnecessary bureaucratic burdens, especially when stacked on top of existing cyber risk disclosure rules.22
As CISA finalizes its rule-making efforts, it should focus on the specific type of space assets that should be subject to the cybersecurity reporting requirements instead of requiring that all actors in the space domain disclose cyber incidents. A properly scoped rulemaking will avoid excessive bureaucratic complexity and ensure that entities are not subject to confusing and duplicative requirements. The methodology defining covered entities should focus on the severity and scale of cyber incidents, not simply the sector that was targeted.23 Cyber incident disclosure rules can dramatically reduce the ensuing impacts of hacks on critical infrastructure, but they must be scoped effectively to properly ensure compliance by private industry and to enable effective responses by the government.