Protection of critical infrastructure The US Federal Government will continue to work towards regulation of entities in sixteen critical infrastructure sectors as a matter of national security policy. A key driver of this regulation stems from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was signed into law by President Biden in March 2022, and establishes two key reporting requirements for 'covered entities' in critical infrastructure sectors, as defined in Presidential Directive 21. CIRCIA requires reporting of 'covered cyber incidents' to the Cybersecurity & Infrastructure Security Agency (CISA) within 72 hours after a covered entity reasonably be
Insight
USA: Future of cybersecurity law and regulation
January 2, 2024
Summary
The future of U.S. cybersecurity law and regulation is focused on addressing the vulnerabilities of digital infrastructure to cyberattacks, with efforts to harmonize the patchwork of state and federal requirements. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates reporting of cyber incidents and ransom payments to CISA, offering legal protections and confidentiality for compliance. Efforts to harmonize breach reporting and cybersecurity requirements are ongoing, with the DHS and the White House seeking public input for a unified approach. Artificial intelligence poses new cybersecurity threats and defenses, prompting future regulations to include AI-specific safeguards. Supply chain attacks are also a regulatory focus, with recent SEC charges against SolarWinds highlighting the need for robust cybersecurity governance.