The US Senate is considering a legislative package known as the Strengthening American Cybersecurity Act, which combines three proposed bills. One key bill would require critical infrastructure organizations to notify the Department of Homeland Security (DHS) within 72 hours of a breach and within 24 hours of a ransomware payment. Other bills involve overwriting parts of the 2014 Federal Information Security Modernization Act, which assigns responsibility for cybersecurity policy and oversight to the Office of Management and Budget (OMB), with the Cybersecurity and Infrastructure Agency (CISA) in charge of coordination and the National Cyber Director responsible for overall strategy. The bill also contains a measure on improving cloud security requirements for the US national government.
Both ranking members of the Homeland Security Committee expressed a general sentiment to fast-track cybersecurity legislation due to current tensions involving the US, Russia, and the Ukraine. There is an elevated risk of cyberterrorism and cyberespionage as long as tensions continue. Organizations should continue to pursue security best practices in accordance with their respective threat models and risk management frameworks, and should consider new compliance requirements required by legislation currently under consideration in order to be prepared.