Strengthening American Cybersecurity Act of 2022
In a move that shows just how quickly the cybersecurity policy environment is changing, the US Senate unanimously passed a bipartisan bill on March 1, 2022. This bill will initiate sweeping changes pertaining to cyber incident response and cybersecurity across the federal legal landscape.
The Strengthening American Cybersecurity Act creates reporting requirements for critical infrastructure entities and civil federal agencies. It is meant to reinforce the protection of American infrastructure – this is an important step in the mitigation of future cyberattacks, which could be catastrophic. The Strengthening American Cybersecurity Act is intended to address and protect against the increase in cyber threats from Eastern Europe amid the Russian invasion of Ukraine.
Introduced by Senators Rob Portman (R-OH) and Gary Peters (D-MI), the bill uses language from three other legislations, namely:
- The Cyber Incident Reporting for Critical Infrastructure Act (S. 2875)
- The Federal Secure Cloud Improvement and Jobs Act (S.3099)
- The Federal Security Modernization Act (S.2902)
Though this bill is targeted toward critical infrastructure, there are widespread implications for the future. Cybersecurity incidents affecting critical infrastructure are making news headlines at an alarming rate – and are drawing the public’s attention to the importance of heeding best cybersecurity practices. In this post, we will discuss the basics of the bill.
Reporting an Incident
One key area that this bill focuses on is creating a clear path for reporting requirements to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Agency (CISA). Clearly defining this path for reporting will allow for cross-dimensional information sharing between CISA and other federal agencies such as the FBI—this will enable the agencies to gather data and identify the culprit quickly.
Entities would be required to preserve data and in some instances, provide CISA with data relevant to the cyber incident or ransomware payment. Supplementary reports would be required until the cyber incident is resolved in case considerably different or new information emerges or if a covered entity pays a ransom after it had already submitted its initial cyber-incident report.
Whereas specific reporting requirements will be established by CISA’s rulemaking, the Act mandates certain reporting minimum requirements.
For incidents, the Act requires:
- Notice to be given to CISA within 72 hours.
- A description of the incident, including the identification and description of the affected networks, systems, and devices. You will also need to provide a description of the unauthorized access, the estimated date range of the cyber incident, and how it impacted operations.
- Any identifying or contact information related to every threat actor reasonably believed to be behind the cyber-attack.
- A description of all the vulnerabilities that were exploited and the cybersecurity defenses that were in place, and the techniques, tactics, and procedures that were used to execute the cyber-attack.
- The categories of information that were accessed or are reasonably believed to have been accessed by the threat actor(s).
- The name and other pertinent information that clearly identifies the “covered entity” affected by the cyber-attack.
- Contact information for the covered entity.
In case a ransom was paid, the Act requires:
- A notice be given to CISA within 24 hours
- A description of the ransomware attack that includes the estimated date range of the attack
- Any identifying or contact details of the threat actor reasonably believed to be behind the attack
- A description of vulnerabilities, techniques, tactics, and procedures used to execute the ransomware attack
- The name and other identifying information that identifies the covered entity that made the ransom payment
- The contact information of the covered entity
- The date the ransom was paid
- The ransom payment demand, including the virtual currency or commodity requested
- The ransom payment instructions
- The amount of ransom payment
The Strengthening American Cybersecurity Act also includes significant enforcement mechanisms and penalties for non-compliance with reporting obligations.
CISA will be empowered to request or subpoena information from covered entities–these subpoenas will be enforced by the justice department. Covered entities that don’t comply with the subpoena will be charged with contempt of court, and CISA would have the statutory authorization to share information and make referrals to the justice department or other appropriate federal agencies for criminal prosecution or regulatory enforcement action. That said, covered entities that submit compliant reports to CISA would be entitled to certain protections under the Act.
A covered entity would be immune from any civil suit based on its CISA report. Regulatory agencies that obtain information from CISA reports cannot use that information to enforce actions against the covered entity. Such information will also be protected in a similar manner as the financial, commercial, and proprietary information of the covered entity –it would maintain any legally privileged status and won’t be subject to public access laws.
Risk-Based Approach
One thing that is certain with the Strengthening American Cybersecurity Act is that a risk-based approach to the management and response to cyber incidents is taking precedence at the federal level. Whereas this Act may not immediately impact organizations that operate outside of critical infrastructure, all organizations should keep in mind that protecting against cyber incidents is a crucial step in averting cyber threats.
The chances are that the standards set forth will affect the private sector in the near future –and they should. Establishing sound measures beforehand, assessing the likelihood of a cyber incident occurring, and allocating resources appropriately will protect all types of organizations from future cybersecurity threats.
Organizations should take time to examine their cybersecurity policies, and if they find any loopholes, they should formalize a set of standards and practices to protect themselves. Some of the measures they should take include:
- Implement zero trust architecture: Unauthorized access to an organization’s sensitive information can be damaging. Implementing zero trust will restrict access controls to applications, networks, and systems, thereby enhancing network security.
- Enhanced mobile security: Given the high adoption rate of the ‘Bring Your Own Device’ policy, organizations are facing additional threats. Mobile and other personal devices are at increased risk for cybersecurity and should therefore be adequately maintained.
- Gather quantitative metrics: By quantifying risks, you will have an easier time gaining buy-in from the board and other financial decision-makers to invest properly in cybersecurity.
- Add to FISMA guidance: This guide helps agencies to focus less on compliance-based activities and spend more time measuring information that is closely tied to observable and practical security outcomes. It tends to define a maturity baseline in particular high-impact capability areas.
- Secure physical operation center: These centers cause staggering levels of material damage and cause organizations big bucks. Building an integrated security operations center can undoubtedly enhance your organizational and physical security posture.
- Codify vulnerability disclosure programs: Vulnerability disclosure programs aid organizations in mitigating risks by enabling the disclosure and rectification of vulnerabilities before threat actors exploit them. When you code your vulnerability disclosure program, you will mark it difficult for threat actors to get their hands on information pertaining to your organization’s vulnerabilities.
Sanctioning of Federal Risk and Authorization Management Program (FedRAMP)
The act would also authorize FedRAMP in order to ensure that federal agencies can securely and efficiently adopt cloud technologies to enhance government operations. Such authorization would last for five years. FedRAMP empowers agencies to use modern cloud technologies with the aim of securing and protecting federal information.
When government information is involved, the security concerns can reach the level of national security. That’s why this bill is authorizing FedRAMP –it will help ensure that federal data is consistently protected at a high level in the cloud.
Other Considerations
The passing of the Strengthening American Cybersecurity Act is a great step towards establishing standardization on how organizations should safeguard against and remediate cybersecurity incidents. As the effects of this bill unravel, it’s worth exploring other considerations.
This bill mandates that when an organization experiences a cyber incident, it should file a report with CISA about the incident within 24 to 48 hours. While this may be attainable for large organizations, the same may not be the case for smaller organizations. This is because smaller organizations may not have the financial prowess to afford an IT staff or even a managed service provider –it may therefore take them longer to detect and report cyber incidents as mandated by this bill.
That said, the government needs to help fund the necessary services to help avert data breach events, remediate them when they occur, as well as assist in strengthening internal cybersecurity infrastructure.
An excellent strategy would be offering small and medium-sized organizations incentives in the form of tax reductions. This way, such organizations will have funds to strengthen their internal cybersecurity infrastructure and invest in employee training.
Finally, given that the private sector works closely with critical infrastructure organizations, the rules mandated in this bill should also govern them to truly fortify the nation’s security posture.
Realized Solutions Inc. Can Help Strengthen the Cybersecurity of Your Organization
Navigating the landscape of cyber incidents is becoming increasingly challenging, given the current political unrest and the increasing complexity of cyber-attacks. Realized Solutions Inc.’s team of cybersecurity experts can help your organization assess voluntary reporting to CISA and other agencies before, during, and after a cyber incident takes place. We can also provide you with excellent cybersecurity solutions that will help ensure that your organization doesn’t become a cyberattack victim in the first place. Contact us today to get started.