On March 15, 2022, President Biden signed into law the Strengthening American Cybersecurity Act of 2022 (the “Act”), requiring entities in the critical infrastructure sector to report both covered cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (“CISA”). First, the Act requires an entity in the critical infrastructure sector—which will likely encompass subsectors such as financial services, energy, communications, defense industrial base, and food and agriculture, among others—that experiences a “covered cyber incident” to report the incident to CISA no later than 72 hours after the entity reasonably believes the incident has occurred. Second, a critical infrastructure entity that makes a ransom payment as a result of a ransomware attack must report the payment to CISA within 24 hours of making the ransom payment.