OODA Loop

Understand tomorrow, today.

CISA Granted Subpoena Power as Cyber Incident Reporting Bill Signed into Law

Archive, OODA Original, Security and Resiliency / by

The Strengthening American Cybersecurity Act:  Background and Update

There are so many important headlines we do not want to get lost ‘below the fold’ for our membership, and this update is one of those headlines.

On March 2nd, overshadowed by the State of the Union that evening, the Senate unanimously passed the Strengthening American Cybersecurity Act, which was actually various bills made into one piece of legislation.

A vital piece of the consolidated legislation was a cyber incident reporting bill, mandating critical infrastructure owners notify the Homeland Security Department within 72 hours of a hack and 24 hours if the organization made a ransomware payment.



OODA Loop Sponsor

After the Senate approval, “attention turned to the House, where the supporters of the cyber incident reporting mandate vowed to get the legislation to the president’s desk.   However, they predicted the measure would likely have to be attached to another, must-pass piece of legislation, like the annual defense policy roadmap.”  (2)

On March 11th, “lawmakers approved the bill…as part of a sweeping $1.5 trillion government funding deal. The House passed the legislation earlier [in the] week.” (3)

On March 15th, all these efforts came to fruition as President Biden signed the cyber incident reporting bill into law.

Predictions that the act would need to be attached to a critical piece of legislation for passage were correct, as “The Strengthening American Cybersecurity Act…was attached to the spending deal that keeps the federal government open until September…. [the act] requires that critical infrastructure operators alert the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach and 24 hours if the organization made a ransomware payment.” (1)

What Next?

the Strengthening American Cybersecurity Act “grants CISA:

  1. The power to subpoena entities that don’t report a cyber incident or ransomware payment.
  2. Two years to publish a notice in the Federal Register on proposed rulemaking to implement the reporting effort, though it may move faster due to heightened concerns about Russian cyberattacks bleeding out of Moscow’s invasion of Ukraine.”  (1)

Subpoena power for CISA?  along two years to publish proposed rulemaking to implement the reporting effort?  Very interesting – and we will endeavor to track that process for our membership in the year ahead.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community

About Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.