What You Need to Know About the Strengthening American Cybersecurity Act
In the wake of the Russian military invasion of Ukraine, fear of cyberwarfare has risen among the American public, many of whom still have the Colonial Pipeline ransomware attack fresh on their minds. In response, the U.S. government is seeking not only to address these events, but also to raise awareness and security compliance for American entities in the face of potentially devastating cyberattacks closer to home.
In March, U.S. President Joe Biden signed an unprecedented yet much-needed cybersecurity bill into law, which will provide a framework for operational networks dealing with federal infrastructure and civilian agencies.
Passed in the Senate with unanimous support, the Strengthening American Cybersecurity Act of 2022 creates reporting requirements for critical infrastructure and covered entities. While individual local and state governments have their own compliance frameworks and laws governing breach response, the act enforces uniformity within networks which contain sensitive data that is critical to national security.
The byproduct of this new vigilance on cybersecurity underscores a systematic, risk-based approach to threat mitigation, and it is taking hold at the federal level.
The act requires the following while reporting incidents:
- Giving notice to Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
- A complete description of the incident and vulnerabilities exploited, as well as which defense systems were in place.
- If known, contact information or additional details about the responsible parties.
- The type of potentially compromised information.
- Details and contact information for the impacted entity.
While the act will not immediately affect companies operating outside of critical infrastructure, all entities should bear in mind that implementing and upkeeping proactive cybersecurity practices are essential steps for risk assessment and mitigation.
It is not clear at this point when the standards outlined in this legislation will impact the private sector, but early assessments of the likelihood and impact of these risks, as well as allocating resources appropriately, will protect businesses of all sizes from future threats.
Organizations should take the time now to assess their cybersecurity policies and – if found to be lacking – formalize standards and practices to protect their enterprise.
Some first steps in this process include:
- Implementing zero trust architecture – Gone are the days of unregulated network access regardless of role. Zero trust restricts access controls within the operational environment, networks, applications, and the technology environment by allowing the minimum necessary access to enhance network security.
- Personal and company mobile security – Unfettered access to private, company networks on unaccounted and unprotected devices increase the risk for cybersecurity incidents. These devices can be properly maintained with a practical yet enforceable bring your own device (BYOD) policy.
- Quantitative metrics – Quantified operational cyber risk makes stakeholders more likely to spend on solutions to reduce risk exposure and costs by aligning with best practices. Gathering and disseminating this information is vital when implementing a comprehensive cybersecurity program.
Legal frameworks like the Strengthening American Cybersecurity Act of 2022 are a major proactive step in addressing the potential impact a cyberattack could have on the American public and private infrastructure.
By outlining regulations at the federal level with existing local notification laws, impacted parties can work in a cyber environment meant to reduce the operational silos impacting knowledge of vulnerabilities, individual risk, and threat actor profiles.
If you have any questions about the information above, please contact your E. Cohen advisor. For a cybersecurity assessment or more information, contact our subsidiary, BinaryLab, at 301-337-3131.