Signed into law in March of 2022, the Strengthening American Cybersecurity Act (SACA) gives federal authorities an overview of all cyber attacks against critical infrastructure in the United States for the very first time.
SACA has three parts:
- The first updates federal cyber laws to improve coordination and communication among federal agencies and require them to share cyber incident information with CISA.
- Second, it requires the reporting of cyber incidents against critical infrastructure.
- Third, it streamlines the processes for how federal agencies receive approval to use cloud technologies.
SACA comes at a time when governments are facing a significant paradigm shift.
Remote and hybrid work, coupled with an explosion of mobile devices, Internet-of-Things sensors, and other network-connected endpoints have made the traditional security perimeter disappear. Traditional firewalls and castle-and-moat security strategies that tried to prevent every possible attack are no longer sufficient.
Instead, agencies must embrace a risk-based approach to cyber resiliency that seeks to manage and minimize attacks when they inevitably occur.
What SACA Means For Governments
SACA mandates prompt reporting of data breaches to critical infrastructure. Organizations that make a ransomware payment have 24 hours to report those details. And while the act primarily addresses concerns to critical infrastructure, secondary and local government organizations and private companies that conduct business with the government should brace themselves for the repercussions to cascade down to them as well.
How To Respond
While the final implementation and reporting guidelines for SACA are still forthcoming, governments and private organizations should start work now on building a robust cybersecurity strategy.
In the Center for Digital Government’s new issue brief, The Strengthening America Cybersecurity Act: What To Know and How To Comply — sponsored by Arctic Wolf — organizations can gain insights into how SACA will impact their day-to-day operations, as well as what is required of them.
In the brief, you’ll learn:
- What SACA tells us about the need to make prompt reporting a priority
- What the government cybersecurity landscape looks like
- The six crucial steps to take now