Congress Passes Cyber Incident Reporting for Critical Infrastructure Act of 2022
The U.S. Congress has passed a significant new cybersecurity law that will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 and 24 hours, respectively. The reporting requirements will cover multiple sectors of the economy, including chemical industry entities, commercial facilities, communications sector entities, critical manufacturing, dams, financial services entities, food and agriculture sector entities, healthcare entities, information technology, energy, and transportation. CISA must promulgate a proposed implementing regulation within 24 months from final enactment date of March 15, 2022, and a final regulation no later than 18 months thereafter. The effective date of the act’s reporting requirements will be set by the final rule. (more…)
U.S. Government Issues Warning of Threat Against U.S. Critical Infrastructure
On February 25, 2022, in light of Russia’s attack on Ukraine, and months of continuing Russian state-sponsored cyberattacks on Ukrainian government and critical infrastructure organizations, the Cybersecurity and Infrastructure Security Agency (CISA) issued a “Shields Up” warning to American critical infrastructure organizations and businesses, stating that “[e]very organization—large and small—must be prepared to respond to disruptive cyber activity.” While the guidance states that there are no specific, credible cyber threats directed at the United States, it notes that Russian threat actors have been orchestrating denial of service and destructive malware attacks affecting Ukraine and its neighboring countries, and that such activities may spread to the United States and its NATO allies in what is a rapidly evolving scenario. (more…)
U.S. Commerce Department Proposes Expansion of Information and Communications Technology and Services Review Process
On November 26, 2021, the U.S. Department of Commerce (Commerce) issued a notice of proposed rulemaking (Proposed Rule) implementing Executive Order 14034 on Protecting Americans’ Sensitive Data from Foreign Adversaries (EO 14034). The Proposed Rule would bring “connected software applications” into the scope of Commerce’s authority to review certain transactions involving information and communications technology and services (ICTS) in the U.S. supply chain and approve or prohibit such transactions or require mitigating measures.1
A Software Primer For Attorneys After Cyber Executive Order
When President Joe Biden issued his major cybersecurity executive order on May 12, a White House press briefing said the order would invoke:
“the power of federal procurement to say, “If you’re doing business with us, we need you to practice really good — really good cybersecurity. And, most importantly, we really need you to focus on secure software development.” (more…)