Businesses and individuals face an ever-growing number of pressures, from ongoing labor shortages and supply chain issues to mounting cybersecurity threats. With these disruptions lurking around every corner, you may be wondering how we can begin to move the dial and combat them. There is hope on the horizon for cybersecurity threats in the form of a new piece of legislature – the Strengthening the American Cybersecurity Act.
We sat down with Brian Young, principal with technology solutions, to better understand what this act entails, who will be affected, and how to start preparing for the changes ahead.
Where it stands today
The Strengthening the American Cybersecurity Act is a bipartisan piece of legislature authored by U.S. Senators Gary Peters (D-Mich.) and Rob Portman (R-Ohio), topmembers of the Senate Homeland Security and Governmental Affairs Committee. The act combines language from three previous bills — the Cybersecurity Incident Reporting Act, Federal Information Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act – all of which were authored by Sen. Peters and advanced out of the Homeland Security and Governmental Affairs Committee. The bill has been passed by the House and the Senate and is currently waiting to be signed into law by President Biden.
Who will be affected?
This bill will affect 16 different sectors, both private and public and ranging from manufacturing to healthcare, that are deemed critical infrastructure – if these organizations were to experience a cybersecurity attack, public health and the safety of U.S. citizens could be severely impacted. . Think back to May of 2021 when the Colonial Pipeline, which moves oil from refineries to industry markets along the East Coast, experienced a ransomware attack. The attack was so severe that President Biden declared a state of emergency. The goal of this bill is to provide funding, education, and tools to make these sectors more resilient and less likely to be targets of attacks like the Colonial Pipeline event.
Preparing for new requirements
This bill will provide additional authority to the Cybersecurity Infrastructure and Security Agency (CISA), naming it the lead federal agency to handle cyber incidences. Critical infrastructure owners and operators will be required to report to the Cybersecurity Infrastructure and Security Agency (CISA) within 72 hours of experiencing a substantial cybersecurity attack — or within 24 hours if they make a ransom payment to the threat actor. The bill will also update current federal cybersecurity laws, improve coordination between federal agencies, and require federal government to take a more risk-based approach to cybersecurity. The goal is to report cybersecurity attacks to a central entity, CISA, so that we can begin to understand when, where, and how these attacks are happening. With that information, we are better equipped to prevent, protect, and respond more efficiently to cybersecurity attacks. Additionally, the bill authorizes the Federal Risk and Authorization Management Program, known as FedRAMP, for up to five years. This authorization ensures that federal agencies can quickly and securely adopt cloud-based technology to improve overall government efficiency and save taxpayer dollars.
With each passing day, cybersecurity attackers are only becoming smarter and better at what they do. The Strengthening the American Cybersecurity Act is a chance for federal agencies to catch up to these attackers and better understand how to deter them. Rehmann advisors like Brian Young are constantly monitoring the ebb and flow of cybersecurity, working to analyze bills such as this one which hopefully will bolster our ability to stay secure. Understanding – and sharing – how our clients could be affected by this kind of legislation is a top priority. Contact us today if you have questions about your organization’s cybersecurity posture.