President Joe Biden signed the Strengthening American Cybersecurity Act into law in March of 2022. The Act consists of various regulations, but it’s the security incident reporting requirements that are creating a stir in the IT community. Currently, the reporting requirements are focused on critical infrastructure, but there is a great deal of potential that entities in various industries could ultimately be subject to these requirements.
As of the time of this writing, there is still time for the details of the Act to change. This is because the Act requires the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to publish a notice of proposed rulemaking within 24 months after the date of the Act’s signing. The Director then has 18 months to issue a finalized rule for implementation.
What this means is that there’s some fluidity to the description of what constitutes a “covered entity,” and the type of businesses that will be subject to the Act could change based on the Director’s ultimate decisions.
There’s a lot of speculation about what this will mean to IT providers in the long run, but the safe assumption has been to prepare for any sector that falls even loosely under the “critical infrastructure” definition to be subject to these requirements.
In this article, we’ll discuss the basics of the recently passed Cybersecurity Act and how MSPs can navigate the changes that come along with it.
What is the Strengthening American CyberSecurity Act of 2022?
On March 1, the U.S Senate passed a bill affecting the security posture of federal agencies and critical infrastructure organizations.
Garnering unanimous support, the Strengthening American Cybersecurity Act of 2022 establishes reporting requirements for “covered entities” and critical infrastructure -- all with the purpose of bolstering the cyberdefense of American infrastructure.
The Strengthening American Cybersecurity Act of 2022 (referred to as the “Act” in this article) is comprised of three regulations:
- The Federal Secure Cloud Improvement and Jobs Act of 2022
- Cyber Incident Reporting for Critical Infrastructure Act of 2022
- The Federal Information Security Modernization Act of 2022
This legislation largely concerns critical infrastructure, but it most likely heralds a trend. Certainly, similar regulations will be brought to bear in the future, and growing government interest in digital security will lead to widespread implications for the future.
This comes as no surprise as attacks and vulnerabilities that affect critical infrastructure are making news headlines at an alarming rate.
What this regulation means for Managed Service Providers
In its current state, the law creates a lot of questions for MSPs. The simple fact that “covered entities” are vaguely defined -- and will probably change in the future -- makes it difficult for IT providers to wrap their heads around the implications.
In fact, many IT departments and MSPs have concluded that they are not regulated by this new law at all. However, they’re probably missing a critical detail in that assessment:
The Act makes a direct reference to Presidential Policy Directive 21, created in 2013. This policy defines the critical infrastructure sector as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
More directly, Policy Directive 21 spells out the following industries:
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Commercial Facilities
- Transportation Systems
- Waste and Wastewater Systems
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Nuclear Reactors, Materials, and Waste
The Information Technology sector is named specifically, which means that IT departments and MSPs will fall subject to this new law.
This also means MSPs and IT service providers will get the “double whammy” if they’re providing services for another covered entity, such as healthcare, communications, financial services, or defense. They will need to ensure their affected clients adhere to the law as well as their own business.
Reporting of cybersecurity incidents
A key part of the Act involves the creation of a clear path of reporting requirements to CISA. The path as defined facilitates a cross-functional sharing of information between CISA and other federal agencies such as the FBI. In effect, these requirements will allow the agencies to collect data and identify the threat actors more quickly. In addition, this act spells out the minimum reporting requirements for both ransomware payments and other cybersecurity incidents.
In the case of a cybersecurity incident, the Act requires the following measures:
- A notice should be given to CISA within 24 to 72 hours.
- This notice must include a comprehensive description of the incident and the vulnerabilities exploited, as well as any defenses that were in place when the incident occurred.
- The report must disclose the type of information that may have been compromised.
- Any contact information or any other additional information about the responsible parties (the attacker) should be disclosed.
- Contact details for the impacted organization should be shared by CISA.
- If a ransomware attack is being reported, the disclosure of the date of payment, payment instructions, ransom payment demand, and the ransom amount should be included.
As you can imagine, these requirements will put a strain on many organizations who lack the ability to quickly identify a breach and classify it before reporting it.
We all know that larger enterprises can afford the in-house IT staff or a managed service provider that are capable of reporting these incidents quickly and efficiently, but smaller companies may not have this capacity. It’s even less likely that the average SMB would know how to collect the relevant information and submit a report on their own.
Risk assessment and mitigation
While the Strengthening Cybersecurity Act of 2022 may not immediately affect entities operating outside critical infrastructure, MSPs should educate all of their clients that protecting cybersecurity is a crucial step in risk assessment and mitigation.
The standards defined in this Act will probably affect the private sector sometime in the future. This is a step in the right direction for security, and businesses should start preparing by assessing their cybersecurity risks and taking the necessary steps to address them before new regulations come into effect.
Some best-practices that every enterprise should consider include:
- Embracing zero trust architecture and access control: Many organizations still operate with unrestricted access to sensitive data and systems. By implementing zero trust and configuring access control using the principle of least privilege, they can restrict access to networks and the ITl environment and minimize their overall risk.
- Improving mobile and remote security: The prevalence of the remote work environment and Bring Your Own Device (BYOD) policies have created additional risks to many businesses. Because cybercriminals often target mobile devices and remote workstations, users should take the appropriate measures to secure these threat surfaces.
- Mitigation of the most common threat vectors: Simple steps toward better security practices can be a game changer for many SMBs. Implementing a password manager, enabling multi-factor authentication wherever possible, and providing cybersecurity training can reduce a business’ cyber risk significantly.
We’re starting to see more standardization in how organizations prevent and remediate cybersecurity incidents across the board. The signing of this Act carries a few additional implications that are worth considering.
The FedRAMP was created to facilitate the adoption and use of cloud technologies by the federal government, and helps agencies implement modern cloud technologies with an emphasis on security. The rollout of the Strengthening American Cybersecurity Act of 2022 creates an opportunity for Federal Risk and Authorization Management Program (FedRAMP) organizations to move toward cloud-based technologies.
We assume that regulations surrounding the private sector are already in the works, although it could be years before we see anything in writing. That said, we know that the security and reporting requirements outlined by law are often cost prohibitive for smaller organizations, there may soon be a need for the government to subsidize the funding of monitoring and remediation.
Many agree that a tax incentive for SMBs that bolster their cybersecurity could be on the way. This would likely be a boon to managed service providers who often struggle to convince clients that cybersecurity costs are justified.
How do MSPs remain compliant with the American CyberSecurity Act of 2022?
The Strengthening American Cybersecurity Act carries both penalties for non-compliance and benefits for meeting the requirements.
In terms of the MSP’s responsibility, it’s important to note that CISA has a great deal of power to request information from a covered entity, including the power to issue subpoenas. If a business or MSP doesn’t comply with CISA’s investigations, the case could be escalated to the U.S. Department of Justice for regulatory enforcement using fines, penalties, and even incarceration.
The other side of it is that compliant entities will receive a certain level of protection from the government. By maintaining compliance, a business would be exempt from any civil suit, and the information they provide couldn’t be used against them, even if the vulnerability had occurred due to a mistake on the part of the business.
To better understand how the Act could affect your MSP, let’s take a look at five specific sections:
Section 107. Agency requirements to notify private sector entities impacted by incidents
This section outlines how covered entities must report incidents that may affect the confidentiality or integrity of sensitive information, particularly information related to a statutory or regulatory requirement. This section also describes the reporting requirements around incidents that may impact information systems used to transmit or store sensitive information.
Section 108. Mobile security standards
This section concerns the evaluation of mobile application security, and gives guidelines on maintaining a continuous inventory of all mobile devices operated by the business. Naturally, it outlines the desired mobile security posture and how relevant data should be shared with CISA using automation (when applicable).
Section 109. Data and logging retention for incident response
The details are still in the works, but the Act will ultimately dictate what kinds of logs and data you will need to store for impacted entities, as well as how long that data will need to be retained. There will be a precise methodology in place for how to ensure the logs remain available to select government agencies for reporting, yet also confidential to protect personally identifiable information. The precise details around this section should be finalized within the next two years.
Section 112. Ongoing threat hunting program
This section states that covered entities must “establish a program to provide ongoing, hypothesis-driven threat hunting services on the network of each agency.” They will need to be able to report on what these activities are, what threats or vulnerabilities they may have revealed, as well as anything learned from these threat hunting activities.
Threat hunting is part of a more proactive approach to cybersecurity. This section shows that lawmakers are no longer satisfied with entities simply waiting for an attack and responding as necessary. This creates many opportunities for cybersecurity-focused MSPs who can provide these threat hunting services.
Section 114. Implementing Zero Trust architecture
Zero trust is a methodology that increases internal network system security by assuming that no software, user, or data can be assumed safe or legitimate. As part of this approach, only those who need access should have it. All told, this means that users, admins, and applications can only access the areas of the network that are essential to their role.
In short, the Act outlines that IT departments should:
- Establish a team or dedicate resources to identifying, isolating, and removing threats as quickly as is practical. In many cases, the MSP or MSSP will satisfy this suggestion by assuming that responsibility.
- Stop thinking about networks as trusted, and instead “assume access” and always implement controls based on the assumption that there is a risk or threat.
- Embrace the Principle of Least Privilege when creating information security programs and managing administrative access.
- Use methods and architecture that limits lateral movement across a network, for example using micro-segmentation.
Partnering with NinjaOne
NinjaOne is here to help MSPs manage their business efficiently and securely. Thousands of users rely on our cutting-edge RMM software to navigate the complexities of modern IT management.
Not a Ninja partner yet? We still want to help you grow your business! Visit our blog for MSP resources and helpful guides, sign up for Bento to get important guidance in your inbox, and attend our Live Chats for one-on-one discussions with channel experts.
If you’re ready to become a NinjaOne partner, schedule a demo or start your trial to see why over 9000 customers have already chosen Ninja as their partner in security and remote management.