President Joe Biden on Tuesday signed into law a $1.5 trillion government funding bill that includes legislation mandating critical infrastructure owners report if their organization has been hacked or made a ransomware payment.
Biden signed the legislation during a White House ceremony that was attended by administration officials and top Democratic lawmakers, including including House Speaker Nancy Pelosi (Calif.), Senate Majority Leader Chuck Schumer (N.Y.).
The Strengthening American Cybersecurity Act — which was attached to the spending deal that keeps the federal government open until September — requires that critical infrastructure operators alert the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach and 24 hours if the organization made a ransomware payment. It also grants CISA the power to subpoena entities that don’t report a cyber incident or ransomware payment.
The measure becoming law is a complete reversal from only a few months ago when it was stripped from the annual defense policy bill.
CISA will have up to two years to publish a notice in the Federal Register on proposed rulemaking to implement the reporting effort, though it may move faster due to heightened concerns about Russian cyberattacks bleeding out of Moscow’s invasion of Ukraine.
“This historic, new law will make major updates to our cybersecurity policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in America is reporting cyber-attacks and ransomware payments to the federal government,” Senate Homeland Security Committee Chair Gary Peters (D-Mich.), who authored and championed the legislation along with Sen. Rob Portman (R-Ohio), said in a statement.
Portman, the panel’s top Republican said the legislation will “give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks.”
Correction: An earlier version of this story misstated the size of the funding bill — it is $1.5 trillion, not $1.5 million.