Browse Skills

CISA Circular Formatter (CPG 7.1)

    CISA CPG CIRCIA Critical Infrastructure Incident Reporting Ransomware
    Get Started with This Skill

    Overview

    Format incident data for CISA and SRMA reporting under CPG 7.1 and CIRCIA. Enforces 72-hour (covered incident) and 24-hour (ransomware) notification windows and validates Information Requirements so the first report is complete.

    Example Conversation

    You: We detected a ransomware incident at 2025-02-15T08:00Z. Help me draft the CISA report and check we’re within the window.

    Agent: I’ll run the notification enforcer and then draft the report. (Runs notification_window_enforcer with detectionTimestamp 2025-02-15T08:00:00Z, isRansomware true.) You have a 24-hour window; deadline is 2025-02-16T08:00Z. I’ve created a draft with the required Information Requirements (entity contact, detection time, incident description, affected systems, incident type). (Runs validate_circia_report on the draft.) All required elements are present. You can submit to CISA and your SRMA before the deadline.

    Output Excerpt

    After the agent runs the notification enforcer and drafts the report, the document typically includes a notification highlight and all CIRCIA Information Requirements. Excerpt:

    # CISA / CIRCIA Incident Report (CPG 7.1)

## Notification window

**Ransomware — 24-hour window.** Detection: 2025-02-15T08:00Z. CISA/SRMA notification deadline: 2025-02-16T08:00Z. Time remaining: 23h 45m.

## Reporting entity contact

[Entity name], [sector]. Contact: [name], [title], [email], [phone]. SRMA: [agency if applicable].

## Detection timestamp

2025-02-15T08:00Z (UTC).

## Incident description

[Ransomware/covered cyber incident summary: what was detected, how, and current status.]

## Affected systems

[Systems, assets, or networks affected; scope of impact.]

## Incident type

Ransomware (covered cyber incident under CIRCIA). [Additional categorization if required.]

    Running validate_circia_report on this draft would pass all required elements (entity contact, detection timestamp, incident description, affected systems, incident type).

    What the Tools Validate

    The skill includes two extension tools:

    notification_window_enforcer computes CISA/CIRCIA notification deadlines from the detection timestamp:

    • Input: detectionTimestamp (ISO 8601), optional isRansomware (true for 24h window).
    • Logic: 72 hours for covered cyber incidents, 24 hours for ransomware from detection.
    • Output: Deadline time, time remaining (or OVERDUE), and a short highlight to include in the report so the reporting window is explicit.

    validate_circia_report checks an incident report draft for required Information Requirements:

    • Input: Path to the draft (Markdown or text).
    • Checks: Entity contact, detection timestamp, incident description, affected systems, incident type (per CIRCIA / CPG 7.1).
    • Output: Pass/fail per element and a summary so the first submission to CISA and SRMA is complete.

    Getting Started

    Add your source materials to the project workspace, then activate the CISA Circular Formatter (CPG 7.1) skill. The agent will guide you through the process step by step.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started