President Biden on March 15 signed into law a federal cyberattack reporting requirement aimed at protecting critical infrastructure in the U.S.
The law “Strengthening American Cybersecurity Act of 2022,” requires critical infrastructure organizations in 16 industry sectors, including the energy sector, identified by the federal government to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they are experiencing a cyberattack, and within 24 hours of making a ransomware payment.
The law further stipulates that CISA will have the authority to subpoena organizations within the identified industry sectors that fail to report cybersecurity incidents or ransomware payments and can refer non-compliant organizations to the Department of Justice.
CISA is required to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit and expand its information sharing efforts.
The text of the bill is available here.