The Strengthening American Cybersecurity Act is described as a landmark piece of legislation that intends to augment the response to the growing threat of cybercrime and state-sponsored cyber warfare against the United States. Although Congress unanimously passed the act in March 2022, it is currently awaiting sign-off from the House of Representatives before President Biden finalizes the act into law.
Commentators are stating the radical changes are long overdue and will introduce a much-needed security framework for government institutions to follow that provides a solid foundation of cybersecurity best practices, improving the cybersecurity posture of the United States government.
The act comprises three bills; Title I, the Federal Information Security Modernization Act; Title II, the Cyber Incident Reporting Act; and Title III, the Federal Secure Cloud Improvement and Jobs Act.
Join us as we discuss the impact expected from this act and why it is crucial in defending against an ever-increasing threat to national security.
Why Is the Strengthening American Cybersecurity Act of 2022 Act needed?
Cybercrime is a growing problem that poses a significant risk to government institutions and critical homeland infrastructure. Russia has been suspected of state-sponsored hacking and criminal cyber activity for many years. However, the risk has significantly amplified since Russia invaded Ukraine, and there is a growing threat of Russia retaliating in response to increasing U.S. support for the Ukrainian war effort.
The federal agency in charge of responding to cybercrime, called CISA (Cybersecurity and Infrastructure Security Agency), wants greater authoritative capabilities to instruct critical government services on how to defend and coordinate a response to cybersecurity incidents. For example, a major oil pipeline (the colonial pipeline) was shut down last year because of a severe ransomware attack. The attack immediately caused a price rise at gas stations across the east coast.
The legislation aims to stop such events from directly impacting the everyday life of the American people. It seeks to ensure that banks, utility services, electric grids, water networks, oil pipelines, and mass transit systems can quickly recover from a damaging cyberattack.
What Does The Act Involve?
At the moment, the primary focus of the act surrounds reporting cybersecurity incidents. It introduces some minimum reporting requirements: critical infrastructure entities and federal civilian agencies must report any “substantial cyber incident.”
Attacks are to be reported to the Cybersecurity and Infrastructure Agency (CISA) regardless of compromised systems or breached data. They have 72 hours to report a hack and only 24 hours to report whether a ransomware payment has been made.
If these guidelines are breached, the CISA has the power to summon the entity to court where they will likely have to pay some fine. As these enforcement details are still being worked out, the severity of the penalties is yet to be defined.
The strict time restraints on reporting an incident may cause significant headaches. Due to the nature of a cyber attack, hackers can lay dormant for weeks or months before any evidence of compromise is discovered.
The proposed legislation will likely force entities to emphasize their cybersecurity posture by enforcing policies that promote security awareness. These checks will ensure that basic standards are being met: systems are patched; vulnerabilities are being resolved, and detailed risk assessments are happening with a roadmap for fixing problems.
Let’s dig deeper and discover more about each act in the legislation.
The Federal Information Security Modernization Act
FISMA was signed into law by President Barack Obama in 2014 and introduced processes and controls to ensure the confidentiality, integrity, and availability of system-related information. It applies to every federal agency, and its purpose is to standardize multiple information security practices.
The purpose of the act was to:
- Amend existing regulations to improve federal cybersecurity
- Enhance federal incident transparency and notification expectations
- Add to FISMA guidance
- Enhance mobile security
- Implement zero-trust architecture
- Codify vulnerability disclosure programs
- Automate reports
- Establish inventory
- Gather quantitative metrics
- Secure physical operations centers
The Cyber Incident Reporting for Critical Infrastructure Act
CIRCIA was signed into law in March 2022 by President Joe Biden; this is the specific part of the act that refers to the mandatory reporting of cybersecurity incidents. The purpose is to empower the CISA to send help and resources to the federal agency to assist in any cybersecurity incident.
The purpose of the act was to address these concerns:
- Cyber incident reporting
- Federal incident report sharing
- Ransomware vulnerability warning programs
- Ransomware threat mitigation activities
- Congressional reporting
The Federal Secure Cloud Improvement and Jobs Act
While the act may not feature the catchiest of titles, it is nonetheless important. This part of the act focuses specifically on federal agencies receiving approval for using cloud technology providers to provide core services. It outlines the requirements and standards to use the public cloud by promoting cybersecurity modernization and next-generation security principles like a risk-based paradigm, zero trust principles, endpoint detection and response, cloud migration, automation, penetration testing, and vulnerability disclosure programs.
How To Reduce the Risk of a Data Breach?
One of the best ways to reduce the risk of a breach is to outsource critical IT systems to security-conscious hosting providers like Atlantic.Net. Our architecture is built to exacting standards, able to meet compliance requirements for special circumstances such as HIPAA compliant hosting. MFA is implemented across the business, and our engineers follow the principle of least privilege, ensuring that every user has only the required permissions to do the task.
When outsourcing services to third parties, ensure that extra due diligence is performed on each vendor to understand the risk of a supply chain attack. Identifying all aspects of risk and writing down an actionable plan will create a baseline for the company’s required and desired security aspirations.
If you would like to learn more, please reach out to the team. Contact Atlantic.Net at 888-618-DATA (3282) (toll-free) or +1-321-206-3734 (international) or by writing to us via the contact page, and we will be happy to assist you.