CIRCIA cyber incident reporting: what Hawaii businesses should do before the final rule

Published May 30, 2026 · HI Tech Hui · ~7 min read

What CIRCIA is, in plain terms

CIRCIA — the Cyber Incident Reporting for Critical Infrastructure Act of 2022 — is a federal law that directs CISA to require covered entities to report significant cyber incidents and ransom payments. The intent is straightforward: give the federal government earlier, more consistent visibility into attacks against critical infrastructure so it can warn other potential victims faster. The law was enacted in March 2022, but a law that directs an agency to write regulations does not create obligations on its own. The obligations come from the rule, and the rule is still being finalized.

CISA published its Notice of Proposed Rulemaking (NPRM) in the Federal Register on April 4, 2024, and accepted public comment through July 2024. The agency has continued to refine the proposal since, including additional stakeholder sessions, and the projected date for the final rule has moved into 2026. The headline point for any business owner: nothing here is mandatory until the final rule is effective, but the direction is set, and the timeframes in the proposal are aggressive.

The two clocks that matter

Two reporting deadlines in the proposed rule drive every preparation decision:

• 72 hours for a covered cyber incident. A covered entity would report to CISA no later than 72 hours after it reasonably believes a covered cyber incident has occurred. The clock starts at “reasonable belief,” not at full confirmation — which means you need a process that recognizes a reportable event early, not one that waits for the forensic dust to settle.
• 24 hours for a ransom payment. A covered entity would report to CISA no later than 24 hours after a ransom payment is disbursed. This applies even where the incident itself might not independently meet the covered-incident threshold.

The proposal also contemplates a joint report that combines both when a payment happens inside the 72-hour incident window, and supplemental reports when substantial new information emerges. The takeaway is not the report format. It is the speed: 72 hours and 24 hours are both far shorter than the time it takes an unprepared organization to even confirm what happened.

Will it apply to a Hawaii business?

The proposed rule defines a covered entity as an organization in one of the 16 critical infrastructure sectors that either exceeds the Small Business Administration size standard or meets a sector-specific criterion in the rule. CISA has estimated that more than 300,000 entities nationwide would be in scope. Many small Hawaii businesses will fall below the threshold and be exempt from mandatory CIRCIA reporting — but three caveats make “we’re too small” a risky place to stop the analysis:

• Sector criteria can pull smaller entities in. The size exemption is not absolute; sector-specific rules can cover organizations below the SBA standard, particularly in healthcare, water, and other essential services.
• The final definition is not set. The covered-entity scope is one of the most-commented parts of the proposal and could shift in the final rule. A business near the line should plan as if it may be in scope.
• You likely already have a reporting clock. Cyber insurance policies, customer contracts, and sector regulators frequently impose their own short reporting windows. CIRCIA readiness is the same muscle those obligations already require.

In other words, the value of getting ready is not contingent on whether CIRCIA ultimately names you. The capability to detect, decide, and report a serious incident inside a tight window is one every Hawaii business needs regardless.

Why the gap before the final rule is an opportunity

Most organizations treat a new regulation as a deadline to scramble toward. The smarter read on CIRCIA is that the pre-final-rule window is a low-stakes rehearsal period. You can build and test the entire reporting capability now, while a missed 72-hour clock costs you nothing but a lesson. Once the rule is effective, the same miss is a compliance failure during the worst week of your year. The work does not change; only the consequences of doing it badly do.

The readiness checklist

Here is the practical preparation we run for Hawaii managed IT clients. None of it requires waiting for the final rule, and all of it has value the day an incident occurs.

1. Write an incident-response plan with a named reporting owner

The single most common gap we find is not technical — it is that no one is clearly responsible for deciding “this is reportable” and starting the clock. Your plan should name a primary and a backup reporting owner, define what “reasonable belief” looks like for your environment, and specify who that owner notifies (leadership, counsel, insurer, CISA). A plan that lives in a drawer is not a plan; it should be short, current, and rehearsed.

2. Make detection fast enough that 72 hours is realistic

You cannot report what you have not detected. If your environment has no centralized logging and no monitoring, the practical detection-to-belief time can be weeks — well past any reporting window. Endpoint detection and response, centralized log collection, and around-the-clock monitoring are what compress the gap between “something happened” and “we reasonably believe an incident occurred.” For HI Tech Hui clients, that coverage runs through the Cyberuptive 24/7 SOC, which is also where the early evidence of an incident first surfaces.

3. Practice evidence collection and retention

CIRCIA reports ask for specifics — what happened, when, which systems, what indicators were observed. The proposal also contemplates a multi-year data-preservation expectation. An organization that wipes and reimages first and asks questions later destroys exactly the information a report requires. Decide in advance how you preserve logs, disk images, and timeline artifacts before remediation begins, and where that data is retained.

4. Map your other reporting obligations alongside CIRCIA

A serious incident at a Hawaii business can trigger several clocks at once: CIRCIA (when effective), Hawaii’s data-breach notification requirements, HIPAA for healthcare, sector regulators, cyber-insurance policy terms, and customer contracts. Build a single decision matrix that lists each obligation, who it is owed to, and its deadline, so a responder is not reconstructing it under pressure. Reporting to CISA does not by itself satisfy state or sector obligations — and vice versa.

5. Rehearse with a tabletop exercise

Once a quarter, walk a realistic scenario — a ransomware detection, a business email compromise, a vendor breach that touches your data — through the plan end to end. Time it against the 72-hour and 24-hour clocks. Tabletop exercises consistently surface the same fixable gaps: unclear ownership, missing contact details, no preserved evidence, and confusion about which obligations apply. Far better to find those in a conference room than at 2 a.m. during a live event.

What this looks like for Hawaii’s targeted sectors

• Hawaii healthcare and clinics: CIRCIA timeframes sit alongside HIPAA breach-notification duties. A clinic needs one workflow that determines whether an event is HIPAA-reportable, CIRCIA-reportable, or both, and starts the correct clocks together.
• Hawaii finance and professional services: These firms already face short contractual and regulatory reporting windows and detailed insurance requirements. A documented CIRCIA-ready incident process is also the cleanest answer to a cyber-insurance underwriting questionnaire.
• Hawaii government contractors: Organizations serving federal and state customers frequently carry contract-level incident-reporting clauses. Aligning those with the CIRCIA model now avoids conflicting obligations later.

Where this fits in a broader security program

CIRCIA readiness is the response half of a security program; it pairs with the prevention half. The faster you close known-exploited vulnerabilities (see the CISA KEV patching SLA) and harden identity against token theft (see the AiTM defense plan), the fewer reportable incidents you have in the first place. But prevention is never perfect, and the organizations that handle a breach well are the ones that decided how they would respond before they had to. CIRCIA simply puts a federal deadline on a discipline every Hawaii business should already practice.

Sources

• CISA — Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)
• Congressional Research Service — CIRCIA: Notice of Proposed Rule Making In Brief
• CISA — CIRCIA Fact Sheet (PDF)

Want your Hawaii business ready to meet a 72-hour reporting clock before it becomes a legal obligation? HI Tech Hui’s managed IT services team builds incident-response plans, detection, and evidence handling — backed by our 24/7 SOC — so a reportable event is a rehearsed process, not a scramble. Get in touch.