Owners and operators of US critical infrastructure will now in some cases be legally required to report cyberattacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
The bipartisan provision was passed by the US Senate as part of the $1.5 trillion FY 2022 funding bill with language matching the related Strengthening American Cybersecurity Act, which unanimously passed Senate earlier this month and requires critical infrastructure operators and owners to report substantial cyberattacks, like ransomware, to CISA within 72 hours and within 24 hours of making a ransomware payment.
It aims to give the US government, through CISA, greater visibility into the current threat landscape facing US private and public sector organizations. CISA was granted $2.6 billion under the funding bill, or $568 million more than last year to bolster the security of American networks.
The authors of the bill and funding provision, senators Rob Portman (R-OH) and Gary Peters (D-MI), said it was urgently need to counter potential cyberattacks sponsored by the Russian government in retaliation for U.S. support in Ukraine.
“This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for