The National Defense Authorization Act of 2022 lays out voluntary cybersecurity practices for private companies that handle critical infrastructure in the U.S.
But provisions all rely on the voluntary participation by industry, which owns and operates the vast majority of the nation’s critical infrastructure. Despite bipartisan calls after massive breaches at SolarWinds, Microsoft Exchange, Colonial Pipeline and other hacks, the NDAA made it through the House without mandatory incident reporting requirements for the private sector.
I disagree on the “voluntary” part. Make it mandatory, otherwise we end up with T-Mobile’s half-dozen breaches in the span of four years.