Although almost nothing seems to get bipartisan support anymore, cybersecurity may be an exception to the rule. On March 1 2022, the Senate unanimously approved the Strengthening American Cybersecurity Act. This bill follows President Biden’s executive order on cybersecurity last year (E.O. 14028). On March 15, the President signed the new bill into law.
This law contains three separate acts. Two of them stipulate new reporting and modernization requirements for covered bodies. They are the Cyber Incident Reporting for Critical Infrastructure Act of 2022, and the Federal Information Security Modernization Act of 2022 respectively. The third act—the Federal Secure Cloud Improvement and Jobs Act of 2022—makes the shift toward cloud-based technologies easier and quicker for federal agencies.
The rulemaking process is likely to take another two years to finish. So it’s still unclear precisely who is impacted by the Strengthening American Cybersecurity Act. For the moment, the law covers federal agencies and operators of critical infrastructure. However, the Cybersecurity and Infrastructure Agency (CISA) plays a prominent role in enforcing the bill’s requirements. And it has yet to define which types of organizations fall under the critical infrastructure category.
If CISA applies the law broadly, tens of thousands of organizations will be