Cybersecurity laws are constantly evolving and Strengthening American Cybersecurity Act of 2023 is one of the important law passed by USA authorities. The government of America has been working on cybersecurity laws for a while, and the Senate recently passed a bill. The bill is called the “Strengthening American Cybersecurity Act”. According to the bill, the government needs to take action to protect American data. This means the government needs to make sure that American companies and organizations are protected from cyber attacks. This Act is intended to combat and safeguard against the rise in cyberattacks from Eastern Europe at a time when the Russian invasion of Ukraine causes anxiety around the world.
Three regulations are contained in the Act:
1. The Federal Information Security Modernization Act of 2023
2. The Critical Infrastructure Cyber Incident Reporting Act of 2023
3. Act of 2023 to Improve Jobs and Federal Secure Cloud Security
Even while this legislation focuses on vital infrastructure, it could have far-reaching effects in the future. Critical infrastructure cybersecurity attacks, including some notorious and crippling ransomware, are increasingly making headlines and highlighting the significance of current and secure cybersecurity policies. Here, we go over the fundamentals of the Act.
Read more: Where to report Cyber Crime?
1. Requirements for Reporting: (Strengthening American Cybersecurity Act of 2023)
According to the Strengthening American Cybersecurity Act, specific entities that make up vital infrastructure are required to submit reports to CISA within specific timeframes. The Act specifically mandates that “covered entities” operating in “critical infrastructure” sectors report to CISA within 72 hours of learning about a cybersecurity issue and within 24 hours of receiving any ransom payments.
Until CISA issues implementing regulations, these new reporting requirements won’t be in force. The final rule must be issued within 18 months of the notice of proposed rulemaking, and the notice of proposed rulemaking for CISA must be published within 24 months.
2. Infrastructural Requirements and Covered Entities: (Strengthening American Cybersecurity Act of 2023)
By identifying “covered entities” inside the “critical infrastructure” sectors, the CISA’s implementing regulations will make the Act’s scope more clear.
In the Strengthening American Cybersecurity Act, it is stated that “critical infrastructure sector” refers to “systems and assets, whether physical or virtual, so vital to the United States that the inability or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This definition is taken from Presidential Policy Directive 21 from 2013, which was issued in 2013.
3. Cyberattacks that Are Covered: (Strengthening American Cybersecurity Act of 2023)
The CISA final rule will also provide definitions of “covered cyber incidents,” as well as guidelines for the format and presentation of the required reports.
An incident that “leads to substantial loss of confidentiality, integrity, or availability of an information system or network, or a serious impact on the safety and resiliency of operational systems and processes,” “[a] disruption of business or industrial operations…,” or “unauthorized access or disruption of business or industrial operations due to compromise of a cloud service provider, managed service provider, or other entity” will be considered a “covered cyber incident,” at the very least.
The Strengthening American Security Act and the reporting requirements, which will be more precisely outlined when the final CISA guidelines are published, might have an impact on businesses in a variety of industries. We will keep an eye on any relevant developments and will continue to notify you on any new advisories as soon as CISA publishes its proposed implementing regulations.