Overview of the Strengthening American Cybersecurity Act
The Strengthening American Cybersecurity Act of 2022 marks a major shift in how the United States approaches cyber incident response and national cybersecurity. On March 1, 2022, the US Senate unanimously passed this bipartisan legislation, highlighting the growing urgency to protect critical infrastructure from escalating cyber threats.
The Act was introduced during a time of heightened global risk, including increased cyber activity linked to geopolitical conflict in Eastern Europe. Its goal is to strengthen the protection of American infrastructure and improve the federal government’s ability to respond quickly and effectively to cyber incidents that could disrupt essential services.
Purpose and Scope of the Act
The Strengthening American Cybersecurity Act establishes mandatory reporting requirements for critical infrastructure organizations and civilian federal agencies. These requirements are designed to improve visibility into cyber incidents and allow federal agencies to share information more efficiently.
Although the law focuses on critical infrastructure, its impact reaches far beyond these sectors. As cyberattacks continue to dominate headlines, the Act signals a broader shift toward accountability, transparency, and proactive cybersecurity practices across both public and private organizations.
Key Legislation Included in the Act
The Act consolidates language from three prior cybersecurity bills into a single framework:
Cyber Incident Reporting for Critical Infrastructure Act
This section establishes mandatory reporting timelines and data preservation requirements following a cyber incident or ransomware payment.
Federal Secure Cloud Improvement and Jobs Act
This portion focuses on secure cloud adoption and authorizes improvements to federal cloud security programs.
Federal Information Security Modernization Act
This section modernizes federal cybersecurity standards and promotes risk based security management.
Cyber Incident Reporting Requirements
A central focus of the Act is the creation of a clear and standardized process for reporting cyber incidents to the Cybersecurity and Infrastructure Security Agency, also known as CISA. This process enables faster coordination between CISA and other federal agencies, including the FBI, to identify threats and respond effectively.
Covered entities are required to preserve relevant data and, in some cases, provide that data to CISA. Additional reports must be submitted if new or significantly different information becomes available or if a ransom payment is made after the initial report.
Reporting Timelines for Cyber Incidents
For covered cyber incidents, organizations must notify CISA within 72 hours of discovery. Reports must include a detailed description of the incident, the systems affected, and how operations were impacted.
Organizations must also provide information about the threat actors if known, the vulnerabilities that were exploited, and the security controls that were in place at the time of the incident. Details about the type of data accessed and clear identification of the affected entity and its contact information are also required.
Reporting Requirements for Ransomware Payments
If a ransomware payment is made, the Act requires notice to CISA within 24 hours. The report must describe the ransomware attack, identify the threat actor if possible, and explain the techniques used during the attack.
Organizations must also disclose the date and amount of the ransom payment, the payment demand, the payment instructions, and the type of virtual currency or commodity requested. Full identification and contact information for the affected entity must be included.
Enforcement and Legal Protections
The Strengthening American Cybersecurity Act includes strong enforcement mechanisms. CISA has the authority to request or subpoena information from covered entities, with enforcement handled by the Department of Justice. Failure to comply with a subpoena may result in contempt of court and potential criminal or regulatory action.
At the same time, the Act provides important protections for organizations that comply. Entities that submit proper reports to CISA are granted immunity from civil lawsuits based on the information reported. Regulatory agencies are also restricted from using CISA report data for enforcement actions against the reporting entity. All reported information maintains its privileged and confidential status and is protected from public disclosure.
Emphasis on a Risk Based Cybersecurity Approach
The Act reinforces a shift toward risk based cybersecurity management at the federal level. While some organizations may not be directly affected today, the standards outlined in the Act are likely to influence future regulations across the private sector.
Organizations are encouraged to evaluate their cybersecurity posture, identify gaps, and allocate resources based on risk. Proactive planning and investment can significantly reduce the impact of future cyber incidents.
Recommended Cybersecurity Measures
Organizations should consider implementing zero trust architecture to limit access to sensitive systems and data. Enhanced mobile security is also critical, especially as bring your own device policies continue to expand.
Quantitative risk metrics can help leadership teams understand cybersecurity risks and support informed investment decisions. Updating security programs to align with modern federal guidance can also improve measurable security outcomes.
Building secure and integrated security operations centers helps protect both digital and physical assets. Codifying vulnerability disclosure programs further strengthens defenses by allowing vulnerabilities to be addressed before they are exploited.
Authorization of FedRAMP
The Act authorizes the Federal Risk and Authorization Management Program, commonly known as FedRAMP, for five years. This authorization allows federal agencies to adopt cloud technologies securely while maintaining consistent protection of federal data.
FedRAMP plays a critical role in safeguarding sensitive government information in cloud environments, where security failures could have national security implications.
Additional Considerations for Organizations
While the reporting timelines may be achievable for large organizations, smaller businesses may face challenges due to limited resources or staffing. This highlights the need for government support to help organizations improve detection, response, and cybersecurity infrastructure.
Incentives such as tax benefits for small and medium sized businesses could encourage stronger cybersecurity investments and employee training. Additionally, private sector organizations that work closely with critical infrastructure providers should align with these standards to strengthen national security as a whole.
How Realized Solutions Inc. Can Help
Managing cyber incidents is becoming more complex as threats grow in scale and sophistication. Realized Solutions Inc. helps organizations navigate incident reporting requirements, including voluntary coordination with CISA and other agencies.
Our cybersecurity experts also provide proactive solutions to reduce risk and strengthen defenses before an attack occurs. Contact Realized Solutions Inc. today to learn how we can help protect your organization and support your compliance efforts.