The US Senate unanimously passed a package of cybersecurity legislation, the Strengthening American Cybersecurity Act, ahead of President Biden’s State of the Union address. The bill now heads to the House of Representatives where it is expected to pass. The package includes legislation mandating new reporting requirements for breaches, including requiring organizations to notify the Homeland Security Department within 72 hours of a breach and within 24 hours if a ransomware payment is made. The bill also modernizes the Federal Information Security Modernization Act, with updates for the first time since 2014, and authorizes extensions to the FedRAMP procurement and compliance programs.
Due to the prominence of cybersecurity and potential escalation to cyber warfare in current news media, the package can be expected to pass relatively quickly in the House as well. This means the new reporting requirements should begin to be integrated into organizations’ incident response plans, which should include Computer Security Incident Response Team (CSIRT) members, as well as personnel in public relations, legal, and executive offices to coordinate disclosure and notification decisions in the event of a breach.