Strengthening American Cybersecurity Act of 2022

Strengthening American Cybersecurity Act of 2022

This bill addresses cybersecurity threats against critical infrastructure and the federal government.

The Cybersecurity and Infrastructure Security Agency (CISA) must perform ongoing and continuous assessments of federal risk posture.

An agency, within a specified time frame, must (1) determine whether notice to any individual potentially affected by a breach is appropriate based on a risk assessment; and (2) as appropriate, provide written notice to each individual potentially affected.

Each agency must (1) provide information relating to a major incident to specified parties, and (2) develop specified training for individuals with access to federal information or information systems.

The bill requires reporting and other actions to address cybersecurity incidents.

Entities that own or operate critical infrastructure must report cyber incidents and ransom payments within specified time frames.

The bill limits the use and disclosure of reported information.

The bill establishes (1) an interagency council to standardize federal reporting of cybersecurity threats, (2) a task force on ransomware attacks, and (3) a pilot program to identify information systems vulnerable to such attacks.

The bill provides statutory authority for the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration (GSA).

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud computing products and services.

The bill establishes a FedRAMP Board to examine the operations of FedRAMP and the Federal Secure Cloud Advisory Committee.