The 2022 State of Cybersecurity Legislation and Regulation in the US

by Eric Skibinski, FiscalNote

The latest legislative and regulatory trends in cybersecurity policy you should be monitoring across the United States.

Cybersecurity is a policy area that touches almost every private firm, nonprofit, or government entity. It is both omnipresent and intangible, with legislative and regulatory bodies reacting to a shifting landscape of ransomware attacks and system outages. Heightened geopolitical concerns, especially from Russia, have organizations hyper-focused on what is required to keep computer systems secure.

Cybersecurity policy is also one of the noisiest issues to cover. A basic search for cybersecurity-related topics in the FiscalNote platform pulls in well over a thousand bills per session. The 115th Congress (2017-2018) had more than 3,000 bills that included the words “cyber” or “cybersecurity.” Maintaining situational awareness at that volume of legislation is a difficult task even for a well-staffed government affairs team — and we know that for 87 percent of you that’s not the case, according to our 2022 State of Government Affairs report.

However, with some analysis, we can cut through the noise and help your team understand the cybersecurity policy landscape to better inform your government affairs strategy and the rest of your organization.

Keeping Up with Cybersecurity Policy Around the Globe — Is Your Team Prepared?

With cybersecurity continuing to be top of mind for governments and regulators around the world, learn how technology can help you keep track of all the different bills and regulations.

Reporting and Responding to Cyberattacks

One of the largest concerns for an organization is falling victim to a cyberattack. A significant breach can result in monetary loss, damaged reputation, and a drain in resources to remedy the situation. The risks are apparent: cybercrimes increased 600 percent during the early months of the global COVID-19 pandemic, and will cost the world an estimated $10.5 trillion by the year 2025. Email spam folders are filled with phishing schemes, and IT departments are constantly reporting attempts to breach organizational systems.

A solid understanding of rules and regulations in the event of a cybersecurity incident is crucial for an organization to effectively manage the situation. Figuring out what to do, who to tell, and where to go can be confusing; especially in the U.S. as individual states begin to legislate on the topic.

One key subtopic is whether an organization is allowed to pay in the event of a ransomware attack. For example, New York (NY S 6806) and Hawaii (HB 2052) have both introduced legislation to prohibit the payment of ransoms in the event of a cybersecurity incident.

Legislatures are also outlining processes for the notification of an incident. New Jersey has introduced a bill (A 493) requiring public agencies to report cybersecurity incidents to the New Jersey Office of Homeland Security, and West Virginia (SB 278) intends to direct the Office of Technology to outline reporting requirements. The issue has even been raised at the federal level with US HR 118, which creates requirements for cyber vulnerability disclosure reporting.

Amending Cybersecurity Definitions at the Policy Level

Major cyber events, especially recently, have changed how legislators approach policy. Illinois has expanded the definition of a “disaster” in the state’s Emergency Management Agency Act to include cybersecurity events (HB 3523), and New York is considering whether ransomware should be considered larceny (SB 8296).

While a change in definitions might seem trivial, these small shifts can have a dramatic effect on how an incident is handled. A cyberattack in Illinois can now involve a state agency to coordinate a response, and a ransomware attack in New York is handled by law enforcement instead of a firm's IT department. Maintaining awareness of how definitions change at the policy level can be beneficial to an organization’s cybersecurity posture.

Establishment of Cyber Units, Committees, Task Forces, and Studies

Another shift in how legislators are approaching cybersecurity is by creating government groups to study, implement, and manage cybersecurity policies. Implementation of grant programs (US HR 4910), establishment of cyber preparedness teams (MD SB 754) or cyber civilian corps (IN HB 1274), and investment in cyber workforces (US HR 6588) will bolster the institutional knowledge organizations need to counter growing threats.

Cybersecurity Investment

Following major appropriations from legislatures in Texas and North Carolina in 2021; states such as Virginia, Tennessee, and Illinois have proposed large appropriations to support cybersecurity operations. These appropriations support the aforementioned grant programs or task forces, as well as simply updating older technology. The infrastructure law signed last year also provides billions of dollars to defend critical infrastructure from cyberattacks.

Regulatory Cybersecurity Trends

Legislation is only one piece of the effort to better secure computer systems. Various regulatory bodies help provide guidance to organizations managing these cybersecurity systems. This takes the form of implementing enacted legislation as well as presidential executive orders. Regulatory bodies can also create voluntary guidelines to better help organizations maintain secure systems.

National Institute of Standards and Technology

The National Institute of Standards and Technology (NIST), as part of the Department of Commerce, promotes innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. While the agency is responsible for many non-cyber duties, NIST has become more prominent in cybersecurity regulations, especially in recent years.

In 2013, NIST created a Cybersecurity Framework as directed in the executive order on Improving Critical Infrastructure Cybersecurity (EO 13636) and bolstered by the Cybersecurity Enhancement Act of 2014. The framework suggests best practices to protect critical infrastructure, to be used as a guide for government and non-government entities. Last year NIST was directed in Section 4 of the executive order on Improving the Nation's Cybersecurity (EO 14028) to “solicit input from the Federal Government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria,” outlined in the order. The agency is in the process of publishing additional guidelines as a result with an expected deadline of May 6.

Cybersecurity and Infrastructure Security Agency

The Cybersecurity and Infrastructure Security Agency (CISA) is part of the Department of Homeland Security and focuses on public and private organizations as well as government bodies’ cybersecurity operations to “promote the adoption of common policies and best practices that are risk-based and able to effectively respond to the pace of ever-changing threats.” The agency provides a multitude of products, including Capacity Enhancement Guides in an effort to provide recommendations and best practices to federal, state, and private entities regarding cybersecurity.

In 2017 CISA supported the implementation of Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The agency is also supporting the implementation of EO 14028 (mentioned above) in multiple roles including the establishment of a Cyber Incident Review Board, creating a standardized playbook for responding to vulnerabilities and incidents, and establishing additional cyber safeguards across the federal government. As with NIST, this implementation process is ongoing.

Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification (CMMC) is a program established by the Department of Defense to support firms in the Defense Industrial Base to better secure the unclassified computer systems contractors and subcontractors use. The certification uses a tiered model of increasing security protocols based on the sensitivity of the information, as well as various assessment and implementation checks to ensure cybersecurity best practices.

The most recent iteration (CMMC 2.0) was published in November of 2021 and is currently going through the rulemaking process. CMMC 2.0 will amend sections of the Code Federal Regulations (CFR) and the Defense Federal Acquisition Regulation Supplement (DFARS).

Track Cybersecurity Legislation with FiscalNote

With a fluid landscape, a high volume of legislation and regulation, and intense focus from almost every industry, changes in cybersecurity policy can prove difficult to monitor. FiscalNote’s legislative tracking solutions can provide policy information at the global, federal, state, and local levels when you need it, so you can craft and execute a successful government affairs strategy that keeps your team and wider organization in the know and compliant.