U.S. Senate Unanimously Passes the Strengthening American Cybersecurity Act

Written by: Brock Wolf, Esq.

On March 1, 2022, the United States Senate unanimously passed the Strengthening American Cybersecurity Act.  This package of three bills aims to strengthen U.S. cybersecurity infrastructure by enhancing incident reporting requirements, tightening cybersecurity requirements for federal agencies and calling for federal agencies to migrate to cloud-based networks.

One of the bills, the Cyber Incident Reporting for Critical Infrastructure Act of 2022, includes strict reporting requirements for critical infrastructure providers, or “covered entities,” which will be fully defined by subsequent rulemaking.  Critical infrastructure owners and operators will have to provide notice to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours of experiencing any cyber incident.  Additionally, these “covered entities” would be required to notify CISA within 24 hours of making any ransom payment following a ransomware attack.

The contents of a report to CISA under the bill must include the following:

  • A description of the incident;
  • A description of the vulnerabilities exploited and security defenses that were in place, as well as the tactics and procedures used to perpetrate the cyber incident;
  • Any identifying or contact information related to the threat actor believed to be responsible for the cyber incident;
  • The categories of information that were, or are reasonably believed to have been, subject to unauthorized access or acquisition;
  • Information about the impacted entity, including the state of incorporation, legal entity name, trade name or other related identifiers; and
  • Contact information for the covered entity or an authorized agent of the entity.

When reporting ransom payments, an entity must include the following information, in addition to the requirements above:

  • An estimated date range of the attack;
  • The date of the ransom payment;
  • The ransom payment demand, including the virtual currency or commodity requested by the threat actor;
  • The ransom payment instructions; and
  • The amount of the ransom payment.

“Covered entities” would be required to supplement their reporting whenever new information about the incident comes to light.  Such updates would need to be provided to CISA until the entity notifies CISA that the incident has been resolved.

While the House of Representatives contemplates the legislation, it has come under fire by the Department of Justice and the FBI.  The Cyber Incident Reporting Act calls for reporting to CISA, but it does not require reporting to the Federal Bureau of Investigation.  The legislation comes at a time when U.S. officials are expecting an uptick in cyberattacks from Russia.

Leave a comment