Strengthening American Cybersecurity Act of 2022
On March 1, the U.S Senate passed a historic bill with unanimous and bipartisan support. This bill will affect federal agencies and critical infrastructure organizations. The Strengthening American Cybersecurity Act of 2022 establishes reporting requirements for “covered entities” and critical infrastructure. It is intended to reinforce the protection of American infrastructure – a crucial step in the mitigation of future cyber-attacks, which could be calamitous. This act is meant to address and safeguard against the increase in cyber-attacks from Eastern Europe amid the Russian invasion of Ukraine.
It consists of three regulations:
- The Federal Secure Cloud Improvement and Jobs Act of 2022
- Cyber Incident Reporting for Critical Infrastructure Act of 2022
- The Federal Information Security Modernization Act of 2022
Whereas this legislation is geared towards critical infrastructure, there could be potential widespread implications for the future. Cybersecurity events that affect critical infrastructure are making news headlines at an alarming rate – and are drawing public attention to how important modern and secure cybersecurity best practices are. Ahead we discuss the basics of the recently passed Cybersecurity Act.
Reporting of Cybersecurity Incidents
One of the areas that this act focused on was the creation of a clear path of reporting requirements to CISA (Cybersecurity and Infrastructure Agency). The clear definition of this path facilitates a cross-functional sharing of information between CISA and other federal agencies such as the FBI. This will enable the agencies to collect data and determine the threat actors more quickly. This act also outlines the minimum reporting requirements for both ransomware payments and cybersecurity incidents.
In case of a cybersecurity incident, the act mandates that the following measures be taken:
- A notice should be given to CISA within 24 to 72 hours.
- A comprehensive description of the incident and the vulnerabilities exploited, as well as the defenses that were in place.
- Disclosure of the type of information that may have been compromised.
- If known, the contact information or any other additional information of the responsible parties should be disclosed.
- Contact details from the impacted organization should be shared by CISA.
- In case of a ransomware attack, the disclosure of the date of payment, payment instructions, ransom payment demand, and the ransom amount.
These requirements will put a strain on many organizations to first identify a breach and classify it properly before reporting it. Whereas larger companies can afford staff or external consultants or a managed service provider to monitor and help in reporting these incidents quickly and efficiently, smaller companies may not have the finances and luxury to afford an IT staff or even a managed service provider. They also don’t have the technical knowledge or resources to deploy to detect and remediate breaches.
One thing that is clear about the federal attention to and regulation of cybersecurity management and response is that a risk-based approach is taking precedence at the federal government. While the Strengthening Cybersecurity Act of 2022 may not immediately impact companies operating outside critical infrastructure, all entities should keep in mind that protecting cybersecurity is a crucial step in risk assessment and mitigation.
It is likely that the standards mandated by this act will affect the private sector in the future – and it probably should. Preparing beforehand by assessing the likelihood and the effect of cybersecurity risks and appropriately allocating resources will safeguard all types of businesses from future cybersecurity threats.
Organizations should take precautionary measures by assessing their cybersecurity measures and, if found to be with vulnerabilities, should establish standards and practices to protect the enterprise. Among the steps they can take include:
- Implementation of zero trust architecture: Unrestricted access to sensitive information is a significant risk for any business. By implementing zero trust, you will restrict access controls to networks and the technological environment by ensuring minimal access to improve network security.
- Enhancement of mobile security: In today’s hybrid work environment where organizations have adopted “Bring Your Own Device” (BYOD), there are additional risks to businesses. Cybercriminals often target mobile devices, and they should therefore be properly maintained to ensure that they don’t make organizations susceptible to cybersecurity incidents.
The passing of this bill is a step towards creating standardization in how organizations prevent and remediate cybersecurity incidents. As the implications of this act unravel, it is worth looking into a few considerations.
The Strengthening American Cybersecurity Act of 2022 creates an opportunity for Federal Risk and Authorization Management Program (FedRAMP) organizations to further adopt cloud-based technologies in the coming five years.
The FedRAMP was created to offer a cost-friendly, risk-based strategy for the adoption and use of cloud technologies by the federal government. It empowers agencies to utilize modern cloud technologies, with an emphasis on security and protection of federal information.
When a cybersecurity incident happens, organizations are mandated to report the incident within 24 to 48 hours. Whereas this might be attainable for large organizations, the same might not be true for smaller organizations. The government needs to help fund the necessary services to not only avoid having a breach in the first place, but help fund the remediation as well as assist in fortifying the internal cybersecurity infrastructure. A good approach might be to offer smaller and medium-sized businesses an incentive in the form of tax reductions for them to use those funds to strengthen their internal cybersecurity infrastructure and employee training.
Lastly, the private enterprise works closely with critical infrastructure owners and operators and is, therefore, an important piece of the security process. The unprecedented bipartisan package should be an excellent guideline by which communication is followed in case of a cybersecurity incident. Unfortunately, the act is only applicable to critical infrastructure owner organizations and government agencies. Hopefully, the private sector will shortly follow similar types of requirements. Although there may be a few hurdles in nailing this, in time, all organizations will follow the requirements of this act when reporting incidents or vulnerabilities.
On-Site Computers Can Help Keep Your Business Protected From Cyber Attacks
Our cybersecurity IT strategies are designed to protect your business from risks associated with cybercrime and to shield your business. We understand the importance of preserving the integrity of protecting sensitive data. With On-Site’s cybersecurity solutions, you won’t have to worry about it. Contact us today to get started.