On March 1st, the United States Senate passed a historic cybersecurity bill with bipartisan and unanimous support. This bill impacts operators of federal infrastructure and federal civilian agencies. The Strengthening American Cybersecurity Act of 2022 creates reporting requirements for critical infrastructure and “covered entities” and is intended to shore up protection of American infrastructure – a critical step in mitigating future attacks which could be devastating. As the Russian invasion of Ukraine creates global uncertainty, this Act is meant to address and protect against the surge in cyberattacks from Eastern Europe.
The Act consists of three regulations:
- The Federal Information Security Modernization Act of 2022
- Cyber Incident Reporting for Critical Infrastructure Act of 2022
- Federal Secure Cloud Improvement and Jobs Act of 2022
Though this legislation is targeted towards critical infrastructure, there are potential widespread implications for the future. Cybersecurity incidents impacting critical infrastructure, including some infamous and debilitating ransomware, are making news at an increased rate – and drawing public attention to the importance of modern and secure cybersecurity practices. Here, we discuss the basics of the Act.
Reporting an Incident
A key focus of this act is to create a clear path of reporting requirements to the Cybersecurity and Infrastructure Security Agency (CISA) for cybersecurity incidents. Clearly defining this path for reporting allows for cross-functional information sharing between CISA and other key federal agencies, such as the FBI. This allows the agencies to collect data and identify the culprit more quickly. The act also establishes minimum reporting requirements for both cybersecurity incidents and ransom payments.
For incidents, the act requires:
- Notice to be given to CISA within 72 hours
- A full description of the incident and vulnerabilities exploited, along with what defenses were in place
- If known, contact information or additional details about the responsible parties to be disclosed
- The type of information that may have been compromised to be disclosed
- Details and contact information from the impacted entity to be shared with CISA
In addition to disclosing the above information, ransomware attack disclosure has some other requirements:
- Notice must be given to CISA within 24 hours
- Date of payment, ransom payment demand (including type of virtual currency), payment instructions and ransom amount must be disclosed
Risk-based Approach
Federal attention to and regulation of cybersecurity management and response has potential widespread implications. One thing is clear – a risk-based approach is taking hold at the federal level. Though this act will not immediately affect companies operating outside of critical infrastructure, all companies should bear in mind that protecting cybersecurity is a critical step in risk assessment and mitigation.
In all likelihood, the standards set forth in this legislation will impact the private sector in the future – and they should. Preparing well in advance by assessing for the likelihood and impact of these risks and allocating resources appropriately will protect all types of businesses from future threats.
Organizations should take the time now to assess their cybersecurity policy, and if found to be lacking, should formalize a set of standards and practices to protect the enterprise. Some of the first steps to do so include:
- Enhancing mobile security – in today’s distributed or hybrid work environment, “Bring Your Own Device” (BYOD) creates additional risks to the business. Personal and mobile devices are at increased risk for cybersecurity incidents and should be properly maintained
- Implement zero trust architecture – unfettered access to internal and sensitive information is a huge risk for any business. Zero Trust restricts access controls to networks, applications, and the technology environment by allowing the minimum necessary access to enhance network security
- Gather quantitative metrics – when risk is quantified, it becomes easier to gain buy-in from the Board and other financial decision makers to properly invest in cybersecurity. Gathering and disseminating this information is an important step in implementing a comprehensive cybersecurity program
Additional Considerations
The passage of this legislation is a step towards standardization in how organizations prevent and address cybersecurity incidents. While the implications of this unfold, there are a few other considerations worth mentioning.
The Strengthening American Cybersecurity Act of 2022 opens up the potential for further adoption of cloud-based technology for Federal Risk and Authorization Management Program (FedRAMP) organizations in the next five years. FedRAMP was established to, “provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.”
When a cybersecurity incident happens, organizations need to act quickly – especially when the attack compromises critical infrastructure. The frequency of cybersecurity events and threats they pose should not be overlooked. During an incident, the first 24-72 hours are the most critical; organizations must plan ahead to address the incident and meet the reporting requirements set forth in the Act. Failure to do so could distract from the critical steps needed mitigate these incidents.
Though the Act has no immediate impact to private or commercial businesses, maintaining best practices in cybersecurity is important for a number of reasons. Protecting sensitive internal and customer data and the company’s reputation are already important aspects of running a modern business of any size. For now, the Act’s reach is limited in scope, but as cyber-related threats affect all types of businesses, there will be increased attention to this matter – and all organizations are well-advised to prepare now should the Act be revised and expanded at a later time.
To learn more about the cybersecurity threat landscape and how to maintain compliance, check out the “Ransomware Attacks in 2022: Compliance Lessons Learned” webinar.