What the Strengthening American Cybersecurity Act Means for The Cybersecurity Industry
While Congress may not agree on much, one recent agenda item was unanimous: the Strengthening American Cybersecurity Act.
Despite previous iterations failing to win support in both chambers of Congress, the legislation was officially signed into law on March 15th. The Russian invasion of Ukraine, and the mounting cybersecurity concerns it’s caused worldwide, no doubt played a significant role in pushing the legislation through.
Here’s what we know, and what we don't.
Who’s in charge
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has been tasked with implementing regulations in line with the provisions set forth in the legislation. The true scope of the Act remains to be seen. That being said, it’s crucial for all organizations – regardless of size or industry – to be prepared, given the federal government’s clear intent to make cybersecurity more robust across the private sector.
The Strengthening American Cybersecurity Act is composed of three unique regulations:
Federal Information Security Modernization Act of 2022 This Act’s aim is to facilitate the update of federal cybersecurity laws, enhance communication between agencies, and require all entities to report incidents to CISA.
Cyber Incident Reporting for Critical Infrastructure Act of 2022 This Act significantly increases reporting requirements for covered entities in the event of a cybersecurity incident, as outlined below.
Federal Secure Cloud Improvement and Jobs Act of 2022 This Act amplifies cybersecurity efforts throughout different branches of the government, while optimizing processes granting federal agencies approval for using cloud technologies.
Covered Entities and Sectors
Provisions of the Act will apply to to-be-determined covered entities within the following sectors:
Defense Industrial Base
Food and Agriculture
Healthcare and Public Health
Nuclear Reactors, Materials and Waste
Waste and Wastewater Systems
The above sectors, as defined in The Presidential Policy Directive as critical infrastructure, naturally encompass a large portion of the U.S economy. Because of this, it can be assumed the breadth of the legislation will be far-reaching, and organizations within each sector would do well to prepare for a forthcoming increase in their cybersecurity and compliance requirements.
Mandated timely reporting
One of the cornerstones of the Act stipulates that all covered entities within the above critical infrastructure sectors must report cybersecurity incidents within 72 hours of discovery – and within 24 hours for ransomware payments.
Of course, these regulations won’t take effect for at least 18 months. While this window will allow CISA time to define both the scope of the Act and the entities it applies to, it also grants potential covered entities additional time to prepare.
Defining “Incidents”, and their response
“Covered cybersecurity incidents” within the provisions of the Act remain somewhat nebulous, but that won’t last for long. CISA’s final rule will both address clarifying definitions around what incidents are covered in the legislation, as well as requirements for entities to respond and report.
As of now, covered cybersecurity incidents may be defined as, at a minimum, “leads to substantial loss of confidentiality, integrity, or availability of an information system or network, or a serious impact on the safety and resiliency of operational systems and processes”, or, “unauthorized access or disruption of business or industrial operations due to compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or due to a supply chain compromise.”
With the Strengthening American Cybersecurity Act, the federal government has issued a clear mandate throughout the private and public sectors that cybersecurity is more important than ever.
Want to make sure your cybersecurity infrastructure is up to par? We can help. Get in touch with us below.