What is the Strengthening American Cybersecurity Act of 2022?
The Strengthening American Cybersecurity Act comprises multiple bills that are designed to reduce threats to critical infrastructure and federal government. Any organization operating in industries deemed critical to running the country, such as finance, energy, transport, agriculture, manufacturing and more, will now have to report significant cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. If it’s a ransomware attack and the ransom is paid, organizations must make the report within 24 hours.
However, there’s much more going on between the lines than the new reporting requirements. The act also contains bills to modernize information security, including the use of penetration testing and threat hunting to identify, deter and minimize the risk threats. The National Institute for Standards and Technology (NIST) will also see its role expanded, partnering with industry stakeholders to develop new frameworks to improve the security and integrity of the technology supply chain.
There’s a strong case to be made that the Strengthening American Cybersecurity Act is simply a reaffirmation of cybersecurity best practice, and that’s something a compliance-driven approach can help with.
In essence, this act will impact any business that sees the US government as a potential customer, effectively increasing the “cost of doing business” by raising standards for cybersecurity across the board. These standards will not only impact federal agencies and critical infrastructure organizations directly, but potentially other businesses along their supply chains too.
There is certainly an argument to be had about whether this new act is simply a reaffirmation of existing cybersecurity best practices – things that the majority of organizations should have been doing all along. The question is whether it’s right to wait for legislation, or whether companies should be getting ahead of the curve and using their initiative to increase their own security posture anyway – and this is where compliance-driven security comes into play.