The Cybersecurity and Infrastructure Security Agency (CISA) has finalized new mandatory cybersecurity requirements that take effect in July 2026. Here's what your business needs to do to comply.
Key Requirements
- Incident reporting: Critical infrastructure operators must report cyber incidents within 72 hours and ransomware payments within 24 hours
- MFA mandate: All federal contractors must implement phishing-resistant MFA by December 2026
- Software supply chain: Vendors must provide Software Bills of Materials (SBOM) for government contracts
- Minimum standards: NIST Cybersecurity Framework 2.0 compliance required for all federal contractors
Who's Affected
Directly: critical infrastructure sectors (energy, healthcare, finance, transportation) and all federal contractors. Indirectly: any business in the supply chain of affected organizations.
Penalties
Non-compliance can result in loss of federal contracts, fines up to $250,000 per violation, and personal liability for executives who knowingly fail to report incidents.
Start your compliance assessment now — the July deadline will arrive faster than you think.
