Skip to content

The Strengthening American Cybersecurity Act Aims to Fix Critical Gaps

The newly passed Senate act is the most significant cybersecurity legislation in U.S. history. Here’s how CEOs and CIOs should start preparing.

Long Read

Major, sweeping, historic—those are the words being used to describe new Senate legislation, passed on March 2, which requires critical infrastructure companies and civilian federal agencies to report cyberattacks and ransomware payments and to take a risk-based approach to cybersecurity.

What’s in the Strengthening American Cybersecurity Act of 2022?

The three bills in the Strengthening American Cybersecurity Act, which the Senate passed unanimously, now await passage in the House. They apply to enterprises in critical sectors, including energy, financial services, healthcare, and transportation. The legislation failed in the Senate last year.

Its recent passage underscores a new urgency being felt across political parties and organizations across the West. “This bill is especially critical as we continue supporting Ukraine,” said Sen. Gary Peters, D-Mich., chairman of the Senate Homeland Security and Governmental Affairs Committee, in a recent tweet. “We must keep preparing for possible retaliatory cyberattacks from the Russian government,” he added.

Know your IT risk posture

The last time Congress passed any law as wide-ranging as this was in 2015, with legislation that encouraged companies to volunteer information about hacks (and promising legal protection if they did). The new act requires banks, medical centers, utilities, and other organizations to report a “substantial cyber incident” to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours—and any ransomware payments they make within 24 hours of making them.

The goal of mandated reporting is to gain a greater understanding of just how many and what type of cyberattacks strike U.S. organizations each day (something cyber leaders have been struggling with for years), and to be able to warn other entities that may be at risk when those hacks occur.

This new legislation signals a crucial change for large and small organizations alike. Endpoint, which regularly reports on the strategies, skills, and processes that enterprises need to be cyber resilient, presents three of the most important.

Improve your cyber risk score

Besides its reporting mandate, the Senate’s newest legislation demands that the government take a risk-based approach to cybersecurity. That means organizations need an accurate cyber risk score. They must also take measures (and spend money to enact those measures) based on a clear assessment of risk, including the likelihood of an attack and the consequences after any specific response is taken. Legislators hope this tactic will trickle down to private-sector enterprises.

CISA chief Jen Easterly called it “a critical step forward in ensuring our nation’s security.”

We must keep preparing for possible retaliatory cyberattacks from the Russian government.

Sen. Gary Peters, D-Mich., chairman of the Senate Homeland Security and Governmental Affairs Committee

Taking the reins of your cybersecurity strategy and lowering your cyber risk is a step-by-step process, with a variety of essential components. The assessment of cyber risk itself is just one of those components. An organization’s risk score is affected by a host of other variables that require action, including a company’s overall assets (which must be regularly inventoried), zero-trust principles (regularly enforced), incident response (reviewed), configurations (managed), and software (updated).

Tackling so many operating procedures at once may seem daunting. Taking it step by step is always wise.

[Read more: 6 tips for shielding your organization from rising cybercrime]

Make security a top priority in your enterprise’s digital transformation strategy

If you think of cybersecurity as part of the value stream of any enterprise, then it should be a no-brainer: Security and digital transformation go hand in hand, which means security teams must be brought in early on any digital initiatives.

That should go without saying. But CEOs and their boards need to hear it.

Government regulations are changing, consumer behavior is changing, and—most important—software vendors are changing.

Eric Kimberling, CEO and founder, Third Stage Consulting Group

Digital transformation allows enterprises to do business with consumers in a safe, predictable way. Increasingly, businesses are leaping on the idea of digital transformation as a way not only to protect their customers but also to instill in them a sense of confidence and trust in the enterprise itself.

While some are transforming by choice, hoping to grab a competitive advantage over their rivals in the marketplace, many are being dragged to the table, notes Eric Kimberling, CEO and founder of Third Stage Consulting Group and host of the Transformation Ground Control podcast.

“A majority of organizations are being forced, either because the economy in the world is changing, because government regulations are changing, consumer behavior is changing, and/or—most important—software vendors are changing,” says Kimberling. In many cases, he explains, software vendors are forcing a sunset of their legacy products, which in turn forces a lot of organizations into a digital transformation they weren’t ready for.

Given that organizations are now spending some $700 billion annually on digital-transformation projects, this is definitely something that stakeholders want to get right. Here’s how.

[Read more: Security at the speed of digital transformation]

Monitor and prep for “regulation sprawl”

The new Senate legislation is just the latest in a slew of data-integrity regulations springing up in the U.S. and around the globe. The evolving regulatory mindset on Capitol Hill from 2015 to today is a good indicator of where things are headed. What started as a polite request for voluntary information has morphed into an incontrovertible demand.

It’s a real jigsaw puzzle to come up with a program that will be globally compliant.

Kenneth Citarella, senior managing director of investigations, Guidepost Solutions LLC

The reality for multinationals is this: They now face greater scrutiny to comply with digital security and personal privacy laws than ever before. And the invasion of Ukraine has put the world on edge. Regulations, at least for the foreseeable future, will only get stricter. And multiply.

“It’s a real jigsaw puzzle to come up with a program that will be globally compliant,” Kenneth Citarella told Endpoint last year. As senior managing director of investigations at Guidepost Solutions LLC, Citarella solves compliance issues, helping clients understand the legal jurisdictions in which they operate, the data they can collect, and the ways they can or cannot share it.

“You have to get incredibly granular,” he says.

There’s no off-the-shelf software to help you do that. For now, organizations must find robust ways to effectively assess their risk posture and maintain compliance to new rules, both here and abroad.

[Read more: Data-security “regulation sprawl” puts multinationals under pressure]

The sprawl of new rules and regulations is dizzying—and expensive. Cross the wrong line and a brand risks losing revenue and tarnishing its reputation. That makes compliance the newest cyber threat—and security practitioners the best line of defense in an increasingly complicated world.

Joseph V. Amodio

Joseph V. Amodio is an experienced journalist who has covered the change-makers and latest developments in a variety of fields, including health and medicine. His work has appeared in The New York Times Magazine, Newsday, CNN.com and numerous other media outlets.