Bill Overview
Title: Strengthening American Cybersecurity Act of 2022
Description: This bill addresses cybersecurity threats against critical infrastructure and the federal government. The Cybersecurity and Infrastructure Security Agency (CISA) must perform ongoing and continuous assessments of federal risk posture. An agency, within a specified time frame, must (1) determine whether notice to any individual potentially affected by a breach is appropriate based on a risk assessment; and (2) as appropriate, provide written notice to each individual potentially affected. Each agency must (1) provide information relating to a major incident to specified parties, and (2) develop specified training for individuals with access to federal information or information systems. The bill requires reporting and other actions to address cybersecurity incidents. Entities that own or operate critical infrastructure must report cyber incidents and ransom payments within specified time frames. The bill limits the use and disclosure of reported information. The bill establishes (1) an interagency council to standardize federal reporting of cybersecurity threats, (2) a task force on ransomware attacks, and (3) a pilot program to identify information systems vulnerable to such attacks. The bill provides statutory authority for the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration (GSA). FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud computing products and services. The bill establishes a FedRAMP Board to examine the operations of FedRAMP and the Federal Secure Cloud Advisory Committee.
Sponsors: Sen. Peters, Gary C. [D-MI]
Target Audience
Population: People using systems protected by cybersecurity against critical infrastructure threats
Estimated Size: 331000000
- The bill involves cybersecurity for critical infrastructure and the federal government.
- Federal employees, especially those with access to information systems, will be impacted due to new training and incident reporting requirements.
- Individuals potentially affected by breaches, who may receive notifications, are also impacted.
- Entities that own or operate critical infrastructure will need to comply with new reporting requirements.
- IT professionals and cybersecurity staff within the federal government and critical infrastructure sectors will be directly impacted.
- Private citizens could be indirectly impacted if they are users of these systems and beneficiaries of improved cybersecurity measures.
Reasoning
- The policy impact varies based on individuals' roles and industries. The most direct impact will be on federal employees and those in critical infrastructure with necessary training and compliance requirements. This affects government sectors and businesses substantially involved in infrastructure operation.
- For citizens, the direct impact is minimal as they will largely benefit from enhanced security indirectly. This means their Cantril wellbeing scores will not change significantly as the direct changes made by the policy do not affect their day-to-day routine beyond increased safety in theory.
- Small and medium businesses with significant reliance on critical infrastructure may experience increased compliance costs which could indirectly affect their financial wellbeing and stress levels.
- Overall, the Cantril wellbeing is likely to increase slightly due to enhanced cybersecurity protecting their digital infrastructure and personal data even though they don't feel an immediate impact.
Simulated Interviews
Federal IT Manager (Washington, D.C.)
Age: 45 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 5/20
Statement of Opinion:
- This policy is a crucial step to ensuring our systems are secure.
- The additional reporting requirements will increase workload but are necessary.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 7 | 6 |
| Year 20 | 6 | 6 |
Cybersecurity Consultant (San Francisco, CA)
Age: 32 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 3/20
Statement of Opinion:
- This policy opens up more opportunities for consultancy work.
- More paperwork and guidelines to follow which adds to my workload.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 9 | 7 |
| Year 10 | 8 | 7 |
| Year 20 | 7 | 7 |
Energy Sector Manager (Chicago, IL)
Age: 55 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 4/20
Statement of Opinion:
- The financial side of implementing the policy seems hefty but necessary.
- We need to ensure all sectors are compliant to prevent breaches.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 6 | 5 |
| Year 20 | 5 | 5 |
Software Developer (New York, NY)
Age: 28 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 6/20
Statement of Opinion:
- The heightened focus on cybersecurity is good for my line of work.
- The rapid changes and compliance checks are a bit overwhelming.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 9 | 8 |
| Year 10 | 9 | 8 |
| Year 20 | 8 | 7 |
Small Business Owner (Austin, TX)
Age: 41 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 3.0 years
Commonness: 4/20
Statement of Opinion:
- Cybersecurity enhancements are good for business confidence.
- Compliance costs may push small businesses financially.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 6 | 6 |
| Year 20 | 5 | 5 |
Federal Employee (Seattle, WA)
Age: 25 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 6/20
Statement of Opinion:
- New policies mean job security as long as I'm trained well.
- I'm pleased to be part of something making a difference.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 6 |
| Year 10 | 7 | 6 |
| Year 20 | 6 | 6 |
Retired (Miami, FL)
Age: 64 | Gender: female
Wellbeing Before Policy: 5
Duration of Impact: 2.0 years
Commonness: 5/20
Statement of Opinion:
- I feel a bit more at ease knowing protections are in place.
- The government seems to be taking cybersecurity seriously.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 6 | 5 |
| Year 3 | 6 | 5 |
| Year 5 | 5 | 5 |
| Year 10 | 5 | 5 |
| Year 20 | 5 | 5 |
Telecom Network Engineer (Houston, TX)
Age: 48 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 4/20
Statement of Opinion:
- The short-term requirements are stressful but necessary.
- In the long-term, security will be less of a worry.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 6 |
| Year 3 | 6 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 7 | 6 |
| Year 20 | 7 | 6 |
Hospital Administrator (Boston, MA)
Age: 39 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 8.0 years
Commonness: 3/20
Statement of Opinion:
- Security in healthcare is a priority, and this helps.
- Balancing regulation and patient care needs careful focus.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 7 |
| Year 20 | 7 | 7 |
Bank Executive (Los Angeles, CA)
Age: 50 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 4/20
Statement of Opinion:
- The policy fortifies our defenses against cyber risks.
- We need to ensure customers are confident in our security measures.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 7 |
| Year 3 | 7 | 7 |
| Year 5 | 7 | 7 |
| Year 10 | 7 | 6 |
| Year 20 | 6 | 6 |
Cost Estimates
Year 1: $1500000000 (Low: $1300000000, High: $1800000000)
Year 2: $1550000000 (Low: $1350000000, High: $1850000000)
Year 3: $1600000000 (Low: $1400000000, High: $1900000000)
Year 5: $1700000000 (Low: $1500000000, High: $2000000000)
Year 10: $1800000000 (Low: $1600000000, High: $2100000000)
Year 100: $1800000000 (Low: $1600000000, High: $2100000000)
Key Considerations
- Investment in cybersecurity is critical to protect national infrastructure and minimize risks of substantial economic losses due to cyber breaches.
- The costs include both initial investments in infrastructure and training, as well as continuous assessments and improvements.
- Collaboration across multiple federal agencies will necessitate enhanced coordination and potential bureaucratic streamlining.