What Does The Strengthening American Cybersecurity Act of 2022 Means For Boston Small Businesses

On March 1, 2022, the Senate passed by unanimous vote the Strengthening American Cybersecurity Act. The Act is a bipartisan bill that passed the House of Representatives with a 228-194 vote and will help protect the US from cyberattacks, both internal and external.

The American Cybersecurity Act will welcome the changes to cyber-incidents and cybersecurity responses to incidents. The package requires that companies report ransomware payments and damaging hacks to the government.

These requirements are guidelines that the Biden administration sees as critical to protecting critical US infrastructure. This critical piece of legislation will provide funding for cybersecurity research and development.

The Act will also serve as a voluntary information-sharing conduit between private sector companies and the Department of Homeland Security (DHS). It makes it mandatory for DHS to create standards for the security of internet-connected devices as currently, there are no open communication channels between the DHS and the private sector.

What does the Strengthening American Cybersecurity Act of 2022 mean for small businesses in Boston?

Combination of Three Bills

The Strengthening American Cybersecurity Act is a combination of three bills:

  • Title 1: The Federal Information Security Modernization Act
  • Title 2: The Cyber Incident Reporting Legislation
  • Title 3: The Federal Secure Cloud Improvement and Jobs Act

Title II premises on the Cyber Incident Reporting for Critical Infrastructure Act (2022). The Act requires civilian federal agencies and critical infrastructure companies to report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA). The reports must get to the Department of Homeland Security CISA within 72 hours. The companies must also report ransomware payments within 24 hours.

The breached entities must save and sometimes present to the CISA any relevant data on the ransom payment or the cyber incident. The company would have to make additional reports until the resolution of the incident. The reports may also continue until different new information becomes available, or if the entity pays the ransomware after submission of its initial report.

The Act applies to organizations in critical infrastructure sectors as described in the Presidential Policy Directive 21 and falls into the covered entities’ definition. CISA’s website details sixteen federally designated crucial infrastructure facilities, including the following sectors:

  • Healthcare
  • Food
  • Financial sector
  • Communication
  • Information Technology
  • Energy
  • Water
  • Transportation

The Act would require some minimum reporting necessities:

  • An incident description that includes:
    • o   Characterization and identification of the affected systems, devices, and networks
    • o   The unauthorized access description
    • o   Estimated date of the breach
    • o   The impact on company operations
  • Description of the exploited vulnerabilities and the defense mechanisms in place. Also required is a description of the techniques, procedures, and tactics used against the incident.
  • Contact information of each malicious actor suspected to be responsible for the cyber incident
  • Categories of information that the unauthorized person acquired or accessed
  • The name or identifying information of the affected entity
  • Covered entity’s contact details

Ransomware Payment

For the entity making a ransomware payment, the report must include:

  • Description of the attack, including dates
  • Description of the techniques, procedures, and vulnerabilities used to carry out the ransomware attack
  • Contact details of the suspected malicious actors
  • Identifying information of the covered entity that paid for the ransomware
  • The ransomware payment date
  • The ransom demand, virtual currency type, or requested commodity
  • The payment instructions and amount demanded

What Does This Act Mean For Boston Small Businesses & Local IT Firms?

This Act means a lot to the entire country and I.T. companies. The 24-to-72-hour rule requires all companies to be on their collective toes. Companies must keep vigilant and responsive in reporting cyber breaches to CISA as they occur.

This situation may strain many companies as they must first identify and correctly classify the breaches to report them. Large corporations can afford to recruit staff and hire external I.T. consultants to help with fast and efficient detection and reporting of violations.

Small companies have financial and technical limitations and cannot afford to hire an I.T. department or a consultant. The small companies have no technical knowledge or deployed services to detect and mitigate breaches effectively.

Most cyber security breaches on small companies run them out of business. The financial burden of solving the breach, ransom payments or reputational loss, and clients’ lawsuits drain them financially.


These new federal guidelines and reporting requirements should come with funding for small businesses. The funds will help companies avoid breaches by strengthening their internal security infrastructure and funding the solutions.

A great approach would be to offer small and medium-sized companies incentives in the form of tax reductions. Companies can use these funds to strengthen their internal security infrastructure and train their employees.

If the companies prove they have done everything possible to secure their systems and still get breached, the government should exempt them from imposed fines. The federal government should offer them resources to allow them a full recovery from the breach.

Almost 50% of companies have experienced breaches, and the other 50% have also experienced it but have no idea. Even with the best and the highest security walls, a company can still suffer from breaches, especially if it’s a targeted attack.

The whole point is to mitigate or avoid violations and recover after the fact. The government should propose helping with both and helping keep small businesses afloat.

This one-of-a-kind bipartisan Act is an excellent guideline that communication should follow after an attack. Unfortunately, this applies to government entities or critical infrastructure organizations. Reporting an attack or ransomware payment allows the U.S. to acquire essential information and act accordingly.

Some hurdles may exist, but this Act is an excellent start. Not all companies will report the vulnerabilities or incidents the same way. This difference requires extra resources for CISA and the affected party to address and manage the reports.

Radius Executive the IT Solutions offers you an IT support framework that allows you the freedom to concentrate on your core business. Radius removes the IT problem from the equation of things to worry about. Contact us for more information on the range of things we do.

Latest Blog Posts

Read Tech Blog