In March 2022, President Biden signed the Strengthening American Cybersecurity Act of 2022 into law in order to address and protect American infrastructure against the surge in cyberattacks from Eastern Europe. The Act creates an affirmative obligation for critical infrastructure entities across federally designated critical infrastructure sectors, including energy and financial services, to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
Taking this into consideration, businesses of all types and sizes should pay attention to the new obligations and assess how the Act may impact their specific operations. In addition to this, it is necessary to update cybersecurity-related policies and procedures as well as incident response plans.
Overview of the Strengthening American Cybersecurity Act
The Strengthening American Cybersecurity Act consists of three regulations:
- The Federal Information Security Modernization Act of 2022;
- Cyber Incident Reporting for Critical Infrastructure Act of 2022; and
- Federal Secure Cloud Improvement and Jobs Act of 2022.
The Act requires that organizations constituting critical infrastructure submit reports to CISA under certain timelines. To be more precise, it imposes requirements on covered entities within the critical infrastructure sectors to report to CISA within 72 hours after the discovery of a cybersecurity incident and within 24 hours following any ransomware payments.
In accordance with the Presidential Policy Directive 21 from 2013, the Strengthening American Cybersecurity Act defines the critical infrastructure sector as systems and assets so vital that their incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. Critical infrastructure sectors defined by the Presidential Policy Directive 21 are:
- Commercial Facilities;
- Critical Manufacturing;
- Defense Industrial Base;
- Emergency Services;
- Financial Services;
- Food and Agriculture;
- Government Facilities;
- Healthcare and Public Health;
- Information Technology;
- Nuclear Reactors, Materials and Waste;
- Transportation Systems; and
- Waste and Wastewater Systems.
Taking into consideration that these sectors make a significant portion of the U.S. economy, it is evident that the Strengthening American Cybersecurity Act has far-reaching implications for a wide spectrum of business operations.Learn about the key differences between the CCPA and CPRA, what areas of the CCPA will be amended with the passage of the CPRA, and what steps to take in order to prepare for these changes.
CISA’s Oversight and Responsibilities under the Strengthening American Cybersecurity Act
The Strengthening American Cybersecurity Act establishes CISA as the central federal agency responsible for cyber reporting for companies operating within a critical infrastructure sector, advancing the forthcoming rulemaking process, and coordinating with other agencies with respect to information sharing and new initiatives.
While it provides some parameters for key definitions and processes, the Act requires the CISA Director to issue a notice of proposed rulemaking within 24 months, in consultation with other federal agencies. Also, 18 months after the proposed rulemaking, the Director is required to issue a final rule for final implementation, including:
- A clear description of the types of entities that constitute covered entities, based on:
- the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
- the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
- the extent to which damage, disruption, or unauthorized access to such an entity, including accessing sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
- A clear description of the types of substantial cyber incidents that constitute covered cyber incidents.
Enforcement of the Act
The Strengthening American Cybersecurity Act provides several enforcement mechanisms. If a covered entity fails to submit a required report, the CISA Director may obtain information about the cyber incident or ransom payment by directly engaging with the covered entity to gather the necessary information. If the covered entity does not respond to the initial information request within 72 hours, the CISA Director may issue a subpoena. Failure to comply with the subpoena may result in the referral of the matter to the Department of Justice for enforcement.
Under the Act, the CISA Director must provide an annual report to Congress that conveys anonymized information about the number of initial requests for information, issued subpoenas, and referred enforcement matters. This report will be published on CISA’s website.
Preparing for the Strengthening American Cybersecurity Act
Managing cyber events against critical infrastructure is becoming increasingly significant on both national and international levels. In addition to the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA) and other state consumer data protection laws, the Strengthening American Cybersecurity Act creates additional obligations for businesses.
While it is still unclear what businesses in critical infrastructure sectors will be considered covered entities, companies in the industry sectors from Presidential Policy Directive 21 should closely monitor the proposed rulemaking and evaluate if the Act’s requirements are likely to apply to their businesses. Consequently, potentially impacted entities should consider changes to their cyber programs, examine their internal policies and procedures to reflect the Act’s requirements, and address and prepare for overlapping disclosure obligations under state, federal and international laws. In addition to this, businesses should ensure effective training for employees and staff relating to new cybersecurity threats.Simplify compliance with various data security laws and ensure the maximum security of your employees, customers, and company’s data, while maintaining fast detection, response and mitigation of any data security incidents.