C yber Incident Reporting for Critical Infrastructure Act of 2021 This bill requires reporting and other actions to address cybersecurity incidents, including ransomware attacks. Entities that own or operate critical infrastructure must report cybersecurity incidents (e.g., ransomware attacks) within specified time frames while other entities may voluntarily report incidents. The Cybersecurity and Infrastructure Security Agency (CISA) must (1) carry out rulemaking to implement the reporting requirements, and (2) establish an office to receive and analyze such reports. To the extent practicable, CISA must align its rules with existing requirements related to the reporting of cybersecurity incidents. The bill limits the use and disclosure of reported information. The information may be shared (subject to protections and restrictions) with federal agencies or to address cybersecurity threats. However, shared information may not be used as a basis for certain regulatory enforcement. Additionally, an entity may not be liable for submitting required reports. Further, reports are not subject to laws governing release of federal or other governmental records. The bill authorizes CISA to take specified action (e.g., issuing subpoenas) if an entity fails to submit a required report. CISA may share subpoenaed information with a regulator or the Department of Justice for regulatory enforcement or criminal prosecution.