The Strengthening American Cybersecurity Act of 2022, a bill that narrowly failed to become law last year, was passed in the Senate on Tuesday, March 1 as a package of cybersecurity measures that would require operators of critical infrastructure and federal civilian agencies to report cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). With bipartisan support, the bill was backed by Senator Gary Peters (D-Mich.) and Senator Rob Portman (R-Ohio). This marks the most significant cyber bill to make it through the Senate in the chamber’s history, and if passed would be the first significant cyber legislation to pass since the 2015 Cybersecurity Information Sharing Act, which gave companies legal cover to voluntarily share cyberthreat information with the government. The Strengthening American Cybersecurity Act of 2022 includes reporting of cyber incidents by critical infrastructure entities and federal agencies, establishes stricter cybersecurity requirements for federal agencies, and ensures that federal agencies migrate to cloud-based networks, among other provisions establishing CISA’s roles and responsibilities.
Title II of the bill includes reporting requirements for critical infrastructure, or “covered entities,” which would be defined by subsequent rulemaking. Required reporting in the bill for critical infrastructure owners and operators includes notice to CISA within 72 hours of experiencing any covered “cyber incident,” and within 24 hours of making a ransom payment as the result of a ransomware attack. A cyber incident is defined as any occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system. “Covered cyber incident” will also be defined by subsequent rulemaking, but at a minimum will include the occurrence of: (i) a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes; (ii) a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability; or (iii) unauthorized access or disruption of business or industrial operations due to a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise. Reporting to the FBI is notably not included in the bill, however, the bill provides for a mechanism for CISA to share information with other agencies.
Though the specifics are also subject to subsequent rulemaking by CISA, the bill establishes certain minimum requirements for the contents of all reporting. The contents of a report of cyber incident shall include, where available and applicable:
- A description of the covered incident
- A description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber incident
- Any identifying or contact information related to each actor reasonably believed to be responsible for such cyber incident
- The category or categories of information that were, or are reasonably believed to have been, subject to unauthorized access or acquisition
- Information about the impacted entity, including state of incorporation or formation, legal entity name, trade names, or other identifiers
- Contact information for the covered entity or an authorized agent of the entity
If passed, covered critical infrastructure entities would be required to supplement initial reporting whenever substantial new or different information becomes available. Subsequent reporting would be required until the entity notifies CISA that the cyber incident has been resolved. If a covered entity is required by law, regulation, or contract to report substantially similar information to another federal agency within a similar timeframe, then that entity may be excepted from reporting obligations established in the Act.
Reporting of ransom payments will include, at a minimum, where available and applicable:
- A description of the attack, including estimated date range of the attack
- A description of the vulnerabilities, tactics, techniques, and procedures used to perpetrate the ransomware attack
- Any identifying or contact information related to each actor reasonably believed to be responsible for the ransomware attack
- The name and other information that clearly identifies the covered entity that made the ransom payment or on whose behalf the payment was made
- Contact information for the covered entity or an authorized agent of the entity
- The date of the ransom payment
- The ransom payment demand, including the type of virtual currency or other commodity requested
- The ransom payment instructions
- The amount of the ransom payment
Reporting of ransom payments would be required even if the ransomware attack is not a covered cyber incident under the law.
The bill will now go to the House, where it is backed by Representative Yvette D. Clarke (D-NY) chair of the Homeland Security subcommittee on cybersecurity, and Representative John Katko (R-NY). As of now, no floor time or debate has been scheduled in the House.