The United States House of Representatives passed the Strengthening American Cybersecurity Act (SACA) yesterday, as part of a larger $1.5 trillion spending package. The bill has already passed the Senate and is supported by President Biden and is widely expected to be signed into law. The SACA mandates reporting to the Cybersecurity and Infrastructure Agency (CISA) in the event of a breach. Organizations will have 72 hours to report a breach and 24 hours to report if a ransomware payment is made. CISA has publicly stated its intent to share such information with other US government agencies, such as the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), although the SACA has received criticism from the FBI and DOJ because it does not require direct reporting to these law enforcement agencies and may reduce response time. The spending package also increased CISA’s funding by $300 million and provided $185.8 million to the Energy Department’s Office of Cybersecurity, Energy Security, and Emergency Response.
As part of the government’s fall spending package, the bill is expected to be immediately signed by President Biden and passed into law. This means the new reporting requirements should begin to be integrated into organizations’ incident response plans, which should include Computer Security Incident Response Team (CSIRT) members, as well as personnel in public relations, legal, and executive offices to coordinate disclosure and notification decisions in the event of a breach. Prior established CSIRT reporting procedures to the FBI and DOJ will no longer be sufficient in light of the new law.