Strengthening American Cybersecurity Act Of 2022

U.S. Senate Unanimously Passes the Strengthening American Cybersecurity Act Of 2022

The policy environment surrounding cybersecurity has changed drastically over the years. To show this promptness, The Strengthening American Cybersecurity Act of 2022 was passed by the U.S. Senate unanimously on March 1, 2022.

The new legislation will usher in a sweeping change in all areas relating to cybersecurity, such as the federal legal landscape and cyber incident responses. This act comes after several related pieces of legislation failed to win passage in the past years.

The package was first introduced to the House by U.S. Senator Gary Peters (D-Mich.). It addressed crucial changes in the protection of critical government infrastructure and cybersecurity needs in response to the current geopolitical tension in Eastern Europe. The continued tension may lead to adverse cyber security issues that require effective prevention measures.

President Joe Biden continues to pursue peace among these nations as several branches of the U.S. government. Allied nations are preparing to tighten their security infrastructure and create airtight cyber solutions.

The Strengthening American Cybersecurity Act of 2022

The act combines pieces of three bills aimed at regulating the protection of I.T. infrastructure. The bill is up to be an extra cybersecurity procedure for the federal government, allowing for the amendment, modernizing, and unifying of cybersecurity best practices. It also sets the best standards for the U.S.

Each act addresses a specific issue that companies and federal agencies must follow to help prevent cyber threats. In particular, the three acts address the following:

The Federal Information Security Modernization Act

This is the first act included in the new strengthening cybersecurity bill. It contains an update of federal cyber laws to help in improving coordination and fast communication between agencies. The act tasks all groups responsible for cyber security to share cyber incident information with the Cybersecurity and Infrastructure Security Agency (CISA).

The acts address issues such as:

• Amending all the existing regulations to enhance the federal cybersecurity framework
• Improve mobile security
• Automate cybersecurity incident reports
• Establish a proper inventory of unsolved and solved cases
• Gather quantitative metrics on cyber issues
• Secure all physical operations centers
• Add to FISMA guidance

The Cyber Incident Reporting for Critical Infrastructure Act

The second act addresses the requirement for companies to deal with any potential cyber threats they may face. Every company must report any substantial cyber threat within the first 72 hours and ransomware payments in the first 24 hours to CISA.

The act seeks to work on:

• Prompt cyber incident reports and notifications
• Congressional reporting
• Federal incident report sharing
• Ransomware vulnerability warning activities
• Ransomware threat mitigation programs

The Federal Secure Cloud Improvement and Jobs Act

This is the third and final act of the three acts outlined in the strengthening cybersecurity bill of 2022. The Senate passed the act in December 2021 to make it easier for federal agencies to receive approvals for using cloud technologies. It also involved modernization efforts to strengthen the overall cybersecurity posture of all government branches.

Outline of the Strengthening American Cybersecurity Act of 2022

Following the recent surge in data breaches and geopolitical uncertainties, the act focuses on several aspects of cybersecurity. The basics include:

Reporting an Incident

The key focus of the act is to offer a clear and accessible path for reporting cybersecurity incidents to CISA. The path requires a clear definition to allow cross-functional information for fast communication between CISA and any relevant agency like the FBI.

The agencies can then collect and analyze data to identify the culprit. The act also discusses the minimum reporting requirements for ransomware and any cyber threats.

For cybersecurity incidents, the acts provide requirements like:

• Notice to CISA within 72 hours after a breach. This goes for any substantial threat that may occur.
• Get a detailed description of the attack, including the vulnerabilities. The company with this will have all the defenses in place to prevent such threats.
• If applicable, include the contact or any relevant details about the parties responsible as insider or outside threats.
• Mention the type of information that may have been breached
• The reporting should include the details and contact information of the impacted entity.

For ransomware attacks, the acts specify these requirements:

• Notice CISA within the first 24 hours
• Include all relevant details such as the date of payment, the ransom payment demand (whether virtual currency or not), ransom amount, and payment instructions.

Risk-based Approach

The increasing federal attention and regulation of cybersecurity management have potential widespread implications for every business in the U.S. A risk-based approach is the subtlest method to cater to this federal level.

The act may not take effect immediately, but companies operating outside critical infrastructure must remember that having appropriate protection is a crucial step in mitigating and assessing risks. Generally, these standards will impact the private sector in the future. It would be best to prepare well in advance by evaluating the likelihood and impact of the risk on your company.

Assessments also enable you to allocate resources to protect your business from future threats. Working with experts at Grok Technology is a practical step to analyzing your security standpoint and getting relevant preventive measures for current and future threats.

We will work together to assess your cybersecurity policy and then formalize standards and practices to help protect the entire enterprise. Some of the first steps to take immediately are:

• Enhance mobile security: Most companies have already created a distributed and hybrid workplace where employees use "Bring Your Own Device" (BYOD) to access company data quickly. It creates an additional security risk that businesses must properly maintain to remain safe.
• Implement a zero-trust architecture: Businesses must always protect their sensitive data from unwanted parties. With Zero Trust, you can restrict access to networks, technological environments, and applications.
• Gather quantitative Metrics: By quantifying risk, it becomes easier to gather data for making the best decisions and invest accurately for robust cybersecurity. Trust our experts at Grok Technologies to collect and disseminate your company data to help in implementing a comprehensive cybersecurity program.

Grok Technology Services is your information technology guide. Talk to us today, and let us be your trusted I.T. partner.