UPDATE: Strengthening American Cybersecurity Act of 2022 Signed Into Law

March 28, 2022 On March 15, 2022, the Strengthening American Cybersecurity Act, which includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law by President Biden, thereby creating new reporting requirements for critical infrastructure entities. Under the Act, entities considered to be critical infrastructure must notify the Cybersecurity and Infrastructure Security Agency within 72 hours of discovering a covered cyber incident and within 24 hours of a ransomware payment.

By: Lewis Brisbois' Data Privacy & Cybersecurity Team

On March 15, 2022, four days after U.S. Senate unanimous approval, the Strengthening American Cybersecurity Act, which includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act) was signed into law by President Biden, thereby creating new reporting requirements for critical infrastructure entities. Under the Act, entities considered to be critical infrastructure must notify the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovering a covered cyber incident and within 24 hours of a ransomware payment.

Although the Act has been signed into law, the Director of CISA has up to 24 months to publish a notice of proposed rulemaking. The Act also permits an additional 18 months after the notice for an issuance of a final rule. This timeline is important to keep in mind, as much of the Act instructs the Director of CISA to establish clear reporting guidelines and regulations. Before the Director issues a final rule, key definitions such as what constitutes a “covered cyber incident” and what entities qualify as “critical infrastructure” remain unclear.

When the Senate passed the Act, the Act did not include the sharing of the CISA report with the Department of Justice (DOJ), including the Federal Bureau of Investigation (FBI). Representatives from the DOJ criticized the Senate version of the Act for this reason, arguing that preventing the FBI from accessing cybersecurity incident reporting to CISA would handicap the FBI’s ongoing investigations into a number of cybercriminal operations. However, the Act signed into law has corrected this issue, and now allows CISA to share reports they receive with a number of federal agencies, including the DOJ and FBI.

Now that the Act and its expansive requirements have become law, critical infrastructure entities should take the necessary steps to create or update their incident response plans to address the new 72-hour and 24-hour notice requirements and examine their internal policies and procedures. Once the incident response plan is in place, organizations can test their incident preparedness by running tabletop exercises to ensure their teams are prepared to effectively handle a cyber incident. Lewis Brisbois’ Data Privacy & Cybersecurity Team can help your organization prepare for the Act’s new requirements before an incident occurs.

For more information on this new law, contact the authors of this post or visit our Data Privacy & Cybersecurity Practice page to find an attorney in your area. You can also subscribe to this blog to receive email alerts when new posts go up.