The United States Senate has passed legislation requiring critical infrastructure operators and federal agencies to report cyber-attacks within 72 hours and ransomware payments within 24 hours.
America’s Upper House approved the Strengthening American Cybersecurity Act of 2022 on Tuesday. The Act combines language from three bills, including the cyber-incident reporting bill, introduced to the Senate by the Senate Homeland Security and Governmental Affairs Committee leaders in September 2001.
The legislation would impact companies across 16 federally designated critical infrastructure sectors, including energy and financial services.
Under the new legislation, current federal cybersecurity laws would be updated to enhance coordination between federal agencies. In addition, all federal civilian agencies would be required to report any substantial cyber-attacks to the Cybersecurity and Infrastructure Security Agency (CISA).
The Act would also give the Federal Risk and Authorization Management Program (FedRAMP) five-year authorization to ensure federal agencies are able to adopt cloud-based technologies.
Senator Gary Peters of Michigan, the co-author on the package of bills, said: “As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyber-attacks from the Russian government.”
He added: “This landmark, bipartisan legislative package will provide our lead cybersecurity agency, CISA, with the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches.”
Jim McKenney, practice director, industrials and operational technologies, at NCC Group, commented that the 72-hour reporting requirement might present a challenge for even large and well-resourced organizations as it requires a robust and mature process that is exercised regularly.
“Critical infrastructure owners and operators will need to dedicate considerable resources and find strong partners to help develop and exercise incident processes to meet the 72-hour reporting requirement,” said McKenney.
He added: “The two main challenges to complying with the requirements will be resource constraints for operators to obtain and maintain cyber incident processes, and lack of tooling and instrumentation in operational technology environments.”