720-891-1663

Return to list of client alerts

Senate Passes Strengthening American Cybersecurity Act

For the last few years, Congress has been cramming a bunch of cybersecurity stuff into the ‘must-pass’ National Defense Authorization Act or NDAA when it comes up each fall. One provision that made it through the House but got axed by the Senate last year was a requirement for very rapid reporting of breaches and ransomware. Apparently, some really rich donors complained that they would really like to keep that sort of thing very quiet so that the news would not get wind of it and make them have to defend whatever cybersecurity practices they did or did not have in place.

Last month the SEC announced new proposed rules that require companies to publicly admit what cybersecurity expertise they did or did not have on their Boards (mostly, did not).

Yesterday the Senate, by unanimous vote, approved the strengthening American Cybersecurity Act. When was the last time you can remember the Senate passing anything unanimously? It doesn’t happen often.

This bill does now need to go to the House, but given that they already passed a similar bill, it is likely to move quickly.

It appears that the new found urgency is due to the threat of Russian cyberattacks.

The bill has 4 pieces:

  • Critical infrastructure owners and operators and federal civilian agencies must report any significant cyberattack to CISA within 72 hours.
  • Almost everyone will need to report any ransomware payment to CISA within 24 hours.
  • It ‘modernizes some of the requirements of FISMA, the law that governs federal civilian agency’s cybersecurity practices
  • Finally, it pushes the federal government further into cloud computing.

It also codifies CISA as the lead federal government civilian cybersecurity agency.

Parts of this only affect government agencies, but other parts affect the commercial world. This bill is about 200 pages, so we will need to tear it apart once it makes it to the President’s desk.

While some people will complain, this is a step forward. I am a fan of doing this in relatively small bites, even though it is painful. It is clear that given the current politics, you pass what you can, when you can.

Credit: Security Week, and ZDNet