Senate Passes the Strengthening American Cybersecurity Act to Require Incident Reporting

Earlier this week, the Senate passed by unanimous consent the Strengthening American Cybersecurity Act in the latest action to increase the cybersecurity of critical infrastructure throughout the US. The Act is a package of three bills – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act. The first bill, which marks a significant move towards better understanding the frequency and scope of cyber incidents, would require designated critical infrastructure entities to report cyberattacks within 72 hours and ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA). The other two bills focus on improving coordination and communication between Federal agencies and accelerating the deployment of cloud computing products and services to drive adoption of more secure modern technology to reduce dependency on legacy IT systems.

Notably, the Act clearly places CISA in the center seat for critical infrastructure cyber incident response, which calls into question the exact role of other Federal agencies who may also have shared authorities in this space.

The legislation must still make it through the House before it ends up on the President’s desk, but there’s no reason to believe it will not move forward given the present geopolitical climate and increased warnings from intelligence agencies to critical infrastructure sectors about the potential for foreign interference.

At just over 200 pages, ASDWA is still sorting through the details, and will continue to keep our members informed of the Act’s progress as it moves through the legislative process.