← Back to all briefings

Policy · Credibility 93/100 · · 2 min read

Policy Briefing — Strengthening American Cybersecurity Act

The U.S. Senate unanimously passed the Strengthening American Cybersecurity Act, bundling CISA incident reporting mandates, FISMA modernization, and a statutory FedRAMP program.

Executive briefing: On the U.S. Senate passed S.3600, the Strengthening American Cybersecurity Act (SACA). The legislation requires covered critical infrastructure entities to report substantial cyber incidents to CISA within 72 hours, disclose ransomware payments within 24 hours, modernises the Federal Information Security Modernization Act, and permanently authorises FedRAMP.

Major statutory obligations

  • 72-hour incident reports. Owner/operators in critical infrastructure sectors must notify CISA no later than 72 hours after a covered cyber incident and supply supplemental updates as new information emerges.
  • Ransom payment disclosure. Paying a ransomware demand triggers a 24-hour reporting clock to CISA, and entities must preserve data relevant to the event.
  • Federal modernization. The act updates FISMA risk management expectations and formalises FedRAMP with board governance, automation priorities, and transparency requirements.

Readiness steps for regulated entities

  • Inventory which business units qualify as covered entities under Section 2240 and map reporting thresholds to existing incident classification matrices.
  • Update ransomware playbooks to capture the 24-hour payment notification requirement and identify the legal, finance, and communications contacts responsible for submission.
  • Ensure record preservation controls satisfy the obligation to maintain forensic data relevant to a covered incident for at least two years.

Strategic implications

  • CISA coordination. The law empowers CISA to issue subpoenas for non-compliance and share anonymised data with sector risk management agencies, making early engagement essential.
  • Harmonisation pressures. Expect regulators such as the SEC, TSA, and banking supervisors to align incident notification rules with the SACA timelines.
  • Program assurance. FedRAMP’s codification sets expectations for continuous monitoring automation that cloud suppliers must evidence in security packages.

Zeph Tech is updating incident notification runbooks and customer communications templates so clients can satisfy CIRCIA-style reporting ahead of CISA’s final rulemaking.

  • CIRCIA
  • Incident reporting
  • Critical infrastructure
  • FedRAMP
Back to curated briefings