Despite a significant uptick in high-level cyberattacks this year, a new defense bill signed by President Biden will see the private sector, instead of the US government, tasked with protecting the majority of the nation's critical infrastructure.
The National Defense Authorization Act (NDAA) is signed into law each year and addresses a wide range of issues including cybersecurity.
The NDAA for 2022 authorizes $770bn for defense funding by the US government, but will also now require the Cybersecurity and Infrastructure Security Agency (CISA) to update an incident response plan every two years and work together with other government agencies as well as the private sector to establish an exercise program to assess its effectiveness.
According to Senator Maggie Hassan, next year's NDAA will also “ensure that the National Guard can provide cyber support services to critical infrastructure entities – including local governments and businesses”. At the same time, the new law will establish a grant program at the Department of Homeland Security aimed at fostering collaboration on cybersecurity technologies between public and private sector organizations in the US and Israel.
The NDAA for fiscal year 2022 also includes provisions that codify existing public-private partnerships at CISA aimed at providing continuous monitoring of industrial control systems which are part of the CyberSentry program. CISA will also have to develop “Know Your Customer” (KYC) guidelines for cloud computing and other service providers that make up the internet ecosystem.
While next year's NDAA does address many cybersecurity issues facing the US, all of its provisions rely on the voluntary participation of private sector organizations that own and operate most of the country's critical infrastructure.
Although 2021 saw a number of high-level data breaches and cyberattacks that affected SolarWinds, the Colonial Pipeline, Microsoft Exchange and others, the NDAA was able to make it through the house without mandatory incident reporting requirements for private sector organizations.
While lawmakers wanted organizations to be forced to report cyber incidents and ransomware payments to the government with financial penalties as an enforcement mechanism, unfortunately these requirements didn't make it into the final bill which has now become law.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.