Legislative Updates

New Addition to U.S. Cybersecurity Legislation – Strengthening American Cybersecurity Act of 2022


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

Strengthening American Cybersecurity Act 2022, Data privacy protection

In March 2022, President Biden signed the Strengthening American Cybersecurity Act of 2022 into law in order to address and protect American infrastructure against the surge in cyberattacks from Eastern Europe. The Act creates an affirmative obligation for critical infrastructure entities across federally designated critical infrastructure sectors, including energy and financial services, to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

Taking this into consideration, businesses of all types and sizes should pay attention to the new obligations and assess how the Act may impact their specific operations. In addition to this, it is necessary to update cybersecurity-related policies and procedures as well as incident response plans.

Overview of the Strengthening American Cybersecurity Act

The Strengthening American Cybersecurity Act consists of three regulations:

  1. The Federal Information Security Modernization Act of 2022;
  2. Cyber Incident Reporting for Critical Infrastructure Act of 2022; and
  3. Federal Secure Cloud Improvement and Jobs Act of 2022.

The Act requires that organizations constituting critical infrastructure submit reports to CISA under certain timelines. To be more precise, it imposes requirements on covered entities within the critical infrastructure sectors to report to CISA within 72 hours after the discovery of a cybersecurity incident and within 24 hours following any ransomware payments.

In accordance with the Presidential Policy Directive 21 from 2013, the Strengthening American Cybersecurity Act defines the critical infrastructure sector as systems and assets so vital that their incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. Critical infrastructure sectors defined by the Presidential Policy Directive 21 are:

  • Chemical;
  • Commercial Facilities;
  • Communications;
  • Critical Manufacturing;
  • Dams;
  • Defense Industrial Base;
  • Emergency Services;
  • Energy;
  • Financial Services;
  • Food and Agriculture;
  • Government Facilities;
  • Healthcare and Public Health;
  • Information Technology;
  • Nuclear Reactors, Materials and Waste;
  • Transportation Systems; and
  • Waste and Wastewater Systems.

Taking into consideration that these sectors make a significant portion of the U.S. economy, it is evident that the Strengthening American Cybersecurity Act has far-reaching implications for a wide spectrum of business operations.

Learn about the key differences between the CCPA and CPRA, what areas of the CCPA will be amended with the passage of the CPRA, and what steps to take in order to prepare for these changes.

CISA’s Oversight and Responsibilities under the Strengthening American Cybersecurity Act

The Strengthening American Cybersecurity Act establishes CISA as the central federal agency responsible for cyber reporting for companies operating within a critical infrastructure sector, advancing the forthcoming rulemaking process, and coordinating with other agencies with respect to information sharing and new initiatives.

While it provides some parameters for key definitions and processes, the Act requires the CISA Director to issue a notice of proposed rulemaking within 24 months, in consultation with other federal agencies. Also, 18 months after the proposed rulemaking, the Director is required to issue a final rule for final implementation, including:

  1. A clear description of the types of entities that constitute covered entities, based on:
  • the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
  • the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
  • the extent to which damage, disruption, or unauthorized access to such an entity, including accessing sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
  1. A clear description of the types of substantial cyber incidents that constitute covered cyber incidents.
As a groundbreaking privacy law, CCPA has introduced a set of cybersecurity requirements, obliging businesses to take necessary steps from both a data privacy and cybersecurity standpoint.

Enforcement of the Act

The Strengthening American Cybersecurity Act provides several enforcement mechanisms. If a covered entity fails to submit a required report, the CISA Director may obtain information about the cyber incident or ransom payment by directly engaging with the covered entity to gather the necessary information. If the covered entity does not respond to the initial information request within 72 hours, the CISA Director may issue a subpoena. Failure to comply with the subpoena may result in the referral of the matter to the Department of Justice for enforcement.

Under the Act, the CISA Director must provide an annual report to Congress that conveys anonymized information about the number of initial requests for information, issued subpoenas, and referred enforcement matters. This report will be published on CISA’s website.

Preparing for the Strengthening American Cybersecurity Act

Managing cyber events against critical infrastructure is becoming increasingly significant on both national and international levels. In addition to the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA) and other state consumer data protection laws, the Strengthening American Cybersecurity Act creates additional obligations for businesses. 

While it is still unclear what businesses in critical infrastructure sectors will be considered covered entities, companies in the industry sectors from Presidential Policy Directive 21 should closely monitor the proposed rulemaking and evaluate if the Act’s requirements are likely to apply to their businesses. Consequently, potentially impacted entities should consider changes to their cyber programs, examine their internal policies and procedures to reflect the Act’s requirements, and address and prepare for overlapping disclosure obligations under state, federal and international laws. In addition to this, businesses should ensure effective training for employees and staff relating to new cybersecurity threats. 

Simplify compliance with various data security laws and ensure the maximum security of your employees, customers, and company’s data, while maintaining fast detection, response and mitigation of any data security incidents.
The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.