Despite previous iterations failing to win support in both chambers of Congress, the legislation was officially signed into law on March 15th. The Russian invasion of Ukraine, and the mounting cybersecurity concerns it’s caused worldwide, no doubt played a significant role in pushing the legislation through.
Here’s what we know, and what we don't.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has been tasked with implementing regulations in line with the provisions set forth in the legislation. The true scope of the Act remains to be seen. That being said, it’s crucial for all organizations – regardless of size or industry – to be prepared, given the federal government’s clear intent to make cybersecurity more robust across the private sector.
The Strengthening American Cybersecurity Act is composed of three unique regulations:
Provisions of the Act will apply to to-be-determined covered entities within the following sectors:
The above sectors, as defined in The Presidential Policy Directive as critical infrastructure, naturally encompass a large portion of the U.S economy. Because of this, it can be assumed the breadth of the legislation will be far-reaching, and organizations within each sector would do well to prepare for a forthcoming increase in their cybersecurity and compliance requirements.
One of the cornerstones of the Act stipulates that all covered entities within the above critical infrastructure sectors must report cybersecurity incidents within 72 hours of discovery – and within 24 hours for ransomware payments.
Of course, these regulations won’t take effect for at least 18 months. While this window will allow CISA time to define both the scope of the Act and the entities it applies to, it also grants potential covered entities additional time to prepare.
“Covered cybersecurity incidents” within the provisions of the Act remain somewhat nebulous, but that won’t last for long. CISA’s final rule will both address clarifying definitions around what incidents are covered in the legislation, as well as requirements for entities to respond and report.
As of now, covered cybersecurity incidents may be defined as, at a minimum, “leads to substantial loss of confidentiality, integrity, or availability of an information system or network, or a serious impact on the safety and resiliency of operational systems and processes”, or, “unauthorized access or disruption of business or industrial operations due to compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or due to a supply chain compromise.”
With the Strengthening American Cybersecurity Act, the federal government has issued a clear mandate throughout the private and public sectors that cybersecurity is more important than ever.
Want to make sure your cybersecurity infrastructure is up to par? We can help. Get in touch with us below.
Subscribe to our newsletter and get the latest cybersecurity insights, updates, and event invitations delivered straight to your inbox. Join our community and empower your security journey with RISCPoint's expert knowledge.
Join our newsletter for updates. Terms.
Get ready to harmonize your cybersecurity goals with our team of industry-leading consultants.
