The mandate, which is set to go into effect in 90 days, will forbid the export, re-export, and transfer of "cybersecurity items" to countries of national security or WMD concerns without a license.

Critical infrastructure owners and operators also would be required to provide supplemental reports to the CISA in light of new or different information becoming available.

The upcoming changes will make it mandatory for rail, air companies to name a chief cyber official, disclose hacks to the government, and draft recovery plans if an attack were to occur.

These devices range from Software as a Medical Device, such as certain mobile phone applications, to implantable medical devices, such as pacemakers, the federal agency notes.

A new cyber-incident reporting bill put forward by a Senate committee would mandate critical infrastructure owners and operators to report cyberattacks to the government within 72 hours.

According to the FTC statement, “Entities covered by the Rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information.”

The guidance sought public comment on an overarching federal policy from OMB as well as draft technical reference architecture and maturity model from Cybersecurity and Infrastructure Security Agency.

Lawmakers heard expert testimony Thursday in favor of expanding and strengthening some regulations, including updating the 2014 Federal Information Security Modernization Act.

This move is designed to disrupt the main channel used by ransomware operations to collect ransom payments from their victims, which, as the Treasury added, amounted to over $400 million last year.

Nine Senate Democrats are urging the FTC to make new data privacy rules that will work in parallel with the long-running effort by Congress to reach an agreement on a federal privacy law.