In March, 2022, President Joe Biden signed the Strengthening American Cybersecurity Act (the “Act”) into law. While the Act consists of various regulations, the security incident reporting requirements for entities in critical infrastructure sectors are getting the most attention. Although the reporting requirements are focused mainly on entities in critical infrastructure, there is potential that entities in various industries could be subject to these requirements.

Applicability.

The Act applies to “covered entities” which is broadly defined to include entities in “critical infrastructure.” Critical infrastructure under Presidential Policy Directive 21 is defined to include the following sectors:

  • Chemicals.
  • Commercial facilities.
  • Communications.
  • Critical manufacturing.
  • Dams.
  • Defense industrial base.
  • Emergency services.
  • Energy.
  • Financial services.
  • Food and agriculture.
  • Government facilities.
  • Healthcare and public health.
  • Information technology.
  • Nuclear reactors, material, and waste.
  • Transportation systems.
  • Water and wastewater systems.

While the above definition is quite broad, the Act requires the Director of the Cybersecurity and Infrastructure Security Agency (the “Director”) to publish a notice of proposed rulemaking no later than 24 months after the date of enactment of the Act. Then, no later than 18 months after the proposed rulemaking, the Director shall issue a final rule for final implementation. This rulemaking will include:

  • “A clear description of the types of entities that constitute covered entities, based on—
    • the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
    • the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
    • the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
  • A clear description of the types of substantial cyber incidents that constitute covered cyber incidents.”

Therefore, until the Director issues a final rule providing a clear description of what constitutes a “covered entity,” it is unclear what businesses will be subject to the Act. One broad interpretation of the Act is that a “covered entity” can include any business under the critical infrastructure sectors, including any business subject to the Health Insurance Portability and Accountability Act, which would fall under the healthcare and public health sector.

Reporting Requirements.

In general, the Act has the following reporting requirements for “covered entities” that experience a “covered cyber incident.” Covered cyber incidents will be further defined by the Director as noted above.

  • The Act requires covered entities to notify the Cybersecurity and Infrastructure Agency (CISA)(“Agency”) within 72 hours of discovering a covered cyber incident.
  • The Act also requires notifying the Agency within 24 hours of receiving a ransom payment demand.

The notice to the Agency shall include the following information:

  • A full description of the incident, including the estimated date range and impact on the operations of the impacted entity.
  • A description of the vulnerability exploited and the defenses that were in place at the time of the incident.
  • The identifying or contact information about the responsible parties, if known.
  • The category or categories of information that may have been compromised.
  • Contact details of the impacted entity providing notice.

What to Do Now

The short answer is “let’s wait and see.” As the Act stands now, it is unclear what businesses in critical infrastructure sectors will be considered “covered entities.” In the meantime, similar to approaching other data privacy laws and regulations, businesses should take the time to review their policies and procedures (such as an incident response plan to meet the 72 hour requirement or a written information security policy) to ensure they are able to detect, respond to, and mitigate data security incidents and that they continue effective training for their employees and staff relating to new cybersecurity threats.

We in Taft’s Privacy and Data Security Practice, with the help of our Government Affairs colleagues Graham Hill and Martin Edwards in Taft’s D.C. office, have been monitoring developments in the rule-making.  Based on meetings attended to date, we expect there to be considerable industry engagement. Our understanding is CISA has made the rule-making a top priority.  We will continue to monitor and provide updates here.

As always, please stay tuned to Taft Privacy and Data Security Insights for more information on the Act and other privacy updates.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Zenus Franklin Zenus Franklin

Zenus has wide-ranging experience with data governance and information technology, which brings a unique and vital perspective to his practice. He advises clients on data privacy matters, such as risk management, policy development, training, audits, website privacy policies and terms of use, website…

Zenus has wide-ranging experience with data governance and information technology, which brings a unique and vital perspective to his practice. He advises clients on data privacy matters, such as risk management, policy development, training, audits, website privacy policies and terms of use, website cookies, M&A due diligence, and data breach and incident response management. His expertise spans federal privacy regulations such as HIPAA, GLBA, FCRA, TCPA, FERPA, and COPPA, along with state laws governing the processing of personal information, such as the California Consumer Privacy Act and state Data Broker laws.  Additionally, Zenus provides guidance to clients on global data privacy matters, including the GDPR.

Read more about Zenus FranklinZenus's Linkedin Profile
Show more Show less
Photo of Scot Ganow Scot Ganow

Scot is a partner at Taft and is chair of the firm’s Privacy, Security, and Artificial Intelligence Practice.  As a former chief privacy officer leveraging more than 10 years of management and compliance experience in Fortune 500 companies prior to law school, Scot…

Scot is a partner at Taft and is chair of the firm’s Privacy, Security, and Artificial Intelligence Practice.  As a former chief privacy officer leveraging more than 10 years of management and compliance experience in Fortune 500 companies prior to law school, Scot brings a diverse business background to his practice at Taft.  Scot represents clients in a variety of sectors, including consumer reporting, construction, healthcare, broadband services, and manufacturing.

Read more about Scot GanowScot's Linkedin Profile
Show more Show less
Related Posts
Understanding California Cyber Audit Requirements
February 10, 2026
Privacy:  Ten Things to Know
January 28, 2026
Your 2026 Privacy, Security, and Artificial Intelligence Checklist
January 12, 2026