The Strengthening American Cybersecurity Act (SACRA) is a new law aimed at modernizing the federal government’s cybersecurity laws. It was recently approved by the President and the Senate Homeland Security and Governmental Affairs Committee. It contains various measures aimed at modernizing the nation’s cybersecurity laws and regulations. The legislation now moves on to the House of Representatives.
Reporting requirements
The new reporting requirements under the American Cybersecurity Act (CISA) are aimed at helping organizations identify and mitigate cyber threats. The act’s final rule defines what constitutes a covered cyber incident and provides specific rules for reporting. The new rule does not require entities to file a full report on every cyber incident, but it does require entities to provide supplemental reports, when new information becomes available.
CISA also requires covered entities to provide regular updates about cyber incidents. This information should be submitted no more than 72 hours after an incident has occurred. The director of the CISA cannot require an entity to submit its report earlier, however. In addition, companies are required to disclose whether they have paid or received ransom in exchange for the release of sensitive information.
The STRONGTHENING AMERICAN CYBERSECURITY ACT OF 2022 was passed unanimously by the Senate and is awaiting House approval. Once passed, the legislation will likely become law soon and impact both private and government sectors. This new act focuses on cybersecurity regulations and reporting requirements for critical infrastructure.
Covered entities
Under the Strengthening the American Cybersecurity Act, companies are required to report cyber incidents and other issues to federal regulators. The act covers certain industries and companies and lays out the types of cyber-incidents and other information that must be reported. Companies are responsible for ensuring that they follow the reporting requirements because the information they report can be used against them. This is why companies are encouraged to consult with their counsel if they have experienced a cyber incident.
The law defines “covered entities” as organizations that own or operate critical infrastructure. This includes many IT departments. It also identifies certain MSPs as covered entities. The law requires these companies to submit a report to federal regulators within specified timelines. The goal is to ensure that companies understand the implications of cybersecurity incidents and implement appropriate mitigation measures for them.
The Strengthening of the American Cybersecurity Act was recently signed into law and will take effect in March 2022. The Act also requires “covered entities” to disclose information about any cybersecurity incident within 72 hours of becoming aware of it. This means that the government cannot respond to an incident if it is not aware of it, which makes fast disclosure vital.
Data retention requirements
The Strengthening of the American Cybersecurity Act of 2022 was unanimously passed by the US Senate on March 1. The new law requires companies that operate or own critical infrastructure to notify the Department of Homeland Security within 72 hours if they suspect a data breach. The legislation also requires companies to report ransomware payments to the CISA within 24 hours.
This new law is a great step toward improving cybersecurity and reducing cybersecurity risks. Companies should work with counsel to determine if they fall under the Act’s guidelines and to ensure their security protocols comply with the new law. However, even if your company does not fall under the Act’s strict rules, it is important to follow cybersecurity best practices to protect your company’s information from cyberattacks.
The new law also requires agencies to make an inventory of all internet-accessible information systems and assets. It also requires the CISA to perform risk assessments of agencies using information from various sources.
Reporting deadlines
The Strengthening American Cybersecurity Act (SACA) requires critical infrastructure operators to report a cyberattack to CISA within 72 hours and any payments received as a result of ransomware attacks within 24 hours. The Act also requires CISA to promulgate implementing regulations to clarify its scope and enforce compliance with key reporting requirements. The Act’s timeline calls for a final rule to be issued within 18 months of the notice of proposed rulemaking.
The Strengthening American Cybersecurity Act (SACA) contains penalties for non-compliance with its reporting requirements. If a company fails to disclose critical information required by the Act, the CISA Director can issue a subpoena, and the U.S. Attorney General can file a civil action. With these measures, the CISA aims to spur accurate reporting of attacks on private infrastructure and identify patterns across multiple enterprises.
While the SACA’s goals are commendable, we must also acknowledge that this bill is unlikely to be fully effective until all stakeholders work together to ensure the quality of the information being reported. Creating a transparent process and providing a continuous stream of incident reporting will be key to the act’s success. A lack of cooperation will render the legislation ineffective.