How the Strengthening of the American Cybersecurity Act Affects MSPs in 2026

President Joe Biden signed the Strengthening American Cybersecurity Act into law in March of 2022. The law consists of various regulations, including new rules in security incident reporting requirements. At that time, the law created a stir in the IT community due to the uncertainty surrounding the new rules, as it was still unclear who would be required to report incidents and how quickly.

fThat was the whole situation until organizations received some clarity in 2024 when the Cybersecurity and Infrastructure Security Agency (CISA) published its proposed rules (Notice of Proposed Rulemaking). While the law is primarily aimed at critical infrastructure organizations, the proposed rules indicate that other sectors, including Managed Service Providers (MSPs) that support critical infrastructure, may also need to comply once the final requirements take effect.

Since the rules will not be finalized and won’t take effect until 2026, it’s just reasonable to think that any organization operating within, or supporting customers in, critical infrastructure sectors has started to prepare for these reporting requirements.

In this article, we’ll discuss the basics of the Cybersecurity Act and how MSPs can navigate the changes that come along with it. 

What is the Strengthening American Cybersecurity Act of 2022?

On March 1, the U.S Senate passed a bill affecting the security posture of federal agencies and critical infrastructure organizations. 

Garnering unanimous support, the Strengthening American Cybersecurity Act of 2022 establishes reporting requirements for “covered entities” and critical infrastructure, all with the purpose of bolstering the cybersecurity of American infrastructure. 

The Strengthening American Cybersecurity Act of 2022  (referred to as the “Act” in this article) is comprised of three regulations:

• The Federal Secure Cloud Improvement and Jobs Act of 2022
• Cyber Incident Reporting for Critical Infrastructure Act of 2022
• The Federal Information Security Modernization Act of 2022

This legislation largely concerns critical infrastructure, but it most likely heralds a trend. Certainly, similar regulations will be implemented in the future, and growing government interest in digital security will have widespread implications for the future. 

This comes as no surprise as attacks and vulnerabilities that affect critical infrastructure are making news headlines at an alarming rate. 

What this regulation means for Managed Service Providers

The proposed rules have provided clarity on the highly plausible inclusion of MSPs as “covered entities” if they support customers in critical infrastructure sectors. Due to this, many IT departments and MSPs have begun preparing in case they are required to report cyber incidents that impact them or the systems they manage for customers. Not to mention that this possibility has also been highlighted in the Act:

The Act makes a direct reference to Presidential Policy Directive 21, created in 2013. This policy defines the critical infrastructure sector as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

More directly, Policy Directive 21 spells out the following industries:

• Food and Agriculture
• Government Facilities
• Healthcare and Public Health
• Information Technology
• Chemical
• Commercial Facilities
• Communications
• Transportation Systems
• Waste and Wastewater Systems
• Critical Manufacturing
• Dams
• Defense Industrial Base
• Emergency Services
• Energy
• Financial Services
• Nuclear Reactors, Materials, and Waste

The Information Technology sector is named specifically, However, this doesn’t automatically mean the inclusion of MSPs as “covered entities”. , The proposed rules are interpreted as requiring MSPs to report incidents ONLY if they support customers in any critical infrastructure sector.

Meanwhile, before the proposed rules were published, MSPs and IT service providers were concerned that they would get the “double whammy” were concerned that they would get the “double whammy”. However, the proposed rules outline that MSPs are only required to report incidents that impact their own systems, while covered entities remain responsible for reporting incidents that affect their environments.

Reporting of cybersecurity incidents

A key part of the Act involves establishing a clear path for reporting requirements to CISA. The path as defined facilitates a cross-functional sharing of information between CISA and other federal agencies, such as the FBI. In effect, these requirements will enable agencies to collect data and identify threat actors more quickly. Additionally, this act outlines the minimum reporting requirements for both ransomware payments and other cybersecurity incidents.

In the case of a cybersecurity incident, the proposed rules require the following measures:

• A notice should be given to CISA within 24 to 72 hours.
• This notice must include a comprehensive description of the incident and the vulnerabilities exploited, as well as any defenses that were in place when the incident occurred.
• The report must disclose the type of information that may have been compromised.
• Any contact information or any other additional information about the responsible parties (the attacker) should be disclosed.
• Contact details for the impacted organization should be shared by CISA.
• If a ransomware attack is being reported, the disclosure of the date of payment, payment instructions, ransom payment demand, and the ransom amount should be included.

As you can imagine, once these requirements take effect in 2026, they can put a significant strain on many organizations that lack the ability to quickly identify and classify a breach before reporting it. 

We all know that larger enterprises can afford in-house IT staff or a managed service provider capable of reporting these incidents quickly and efficiently, but smaller companies may not have this capacity. It’s even less likely that the average SMB would know how to collect the relevant information and submit a report on their own. 

Risk assessment and mitigation

While the Strengthening Cybersecurity Act of 2022 may not immediately affect entities operating outside critical infrastructure, MSPs should, if they haven’t already, educate all their clients that protecting cybersecurity is a crucial step in risk assessment and mitigation.

The standards defined in this Act will likely impact the private sector in the future. This is a step in the right direction for security, and businesses should have already started preparing by assessing their cybersecurity risks and taking the necessary steps to address them before new regulations come into effect. 

Some best practices that every enterprise should always consider include:

• Embracing zero trust architecture and access control: Many organizations still operate with unrestricted access to sensitive data and systems. By implementing zero trust and configuring access control using the principle of least privilege, they can restrict access to networks and the IT environment and minimize their overall risk.
• Improving mobile and remote security: The prevalence of the remote work environment and Bring Your Own Device (BYOD) policies has created additional risks to many businesses. Because cybercriminals often target mobile devices and remote workstations, users should take the appropriate measures to secure these threat surfaces. 
• Mitigation of the most common threat vectors: Simple steps toward better security practices can be a game changer for many SMBs. Implementing a password manager, enabling multi-factor authentication wherever possible, and providing cybersecurity training can significantly reduce a business’ cyber risk.

Additional considerations

We’re starting to see more standardization in how organizations prevent and remediate cybersecurity incidents across the board. The signing of this Act carries a few additional implications that are worth considering.

The FedRAMP was created to facilitate the adoption and use of cloud technologies by the federal government, and helps agencies implement modern cloud technologies with an emphasis on security. The rollout of the Strengthening American Cybersecurity Act of 2022 presents an opportunity for Federal Risk and Authorization Management Program (FedRAMP) organizations to transition to cloud-based technologies. 

Regulations affecting private-sector organizations that fall within critical infrastructure are already being shaped through the proposed rules and will be finalized in 2026. That said, we know that the security and reporting requirements outlined by law are often cost-prohibitive for smaller organizations, there may soon be a need for the government to subsidize the funding of monitoring and remediation.

Many agree that a tax incentive for SMBs that bolster their cybersecurity could be on the way. This would likely be a boon to managed service providers who often struggle to convince clients that cybersecurity costs are justified. 

How do MSPs remain compliant with the American Cybersecurity Act of 2022?

Once the reporting rules take effect in 2026, they can impose penalties on non-compliant organizations.

In terms of the MSP’s responsibility, it’s essential to note that CISA has considerable authority to request information from a covered entity, including the power to issue subpoenas. If a business or MSP fails to comply with CISA’s investigations, the case may be escalated to the U.S. Department of Justice for regulatory enforcement, which could involve fines, penalties, and even incarceration.

The other side of it is that compliant entities will receive a certain level of protection from the government. By maintaining compliance, a business would be exempt from any civil suit, and the information it provides couldn’t be used against it, even if the vulnerability had occurred due to a mistake on the part of the business. 

To better understand how the Act could affect your MSP, let’s take a look at five specific sections. Please note that the following sections only describe requirements defined in the law. The specific enforcement details will be finalized in the 2026 rule:

Section 107. Agency requirements to notify private sector entities impacted by incidents

This section outlines the requirements for covered entities to report incidents that may compromise the confidentiality or integrity of sensitive information, particularly information related to statutory or regulatory requirements. This section also describes the reporting requirements around incidents that may impact information systems used to transmit or store sensitive information.

Section 108. Mobile security standards

This section concerns the evaluation of mobile application security, and gives guidelines on maintaining a continuous inventory of all mobile devices operated by the business. Naturally, it outlines the desired mobile security posture and how relevant data should be shared with CISA using automation (when applicable).

Section 109. Data and logging retention for incident response

The details are still in the works, but the Act will ultimately dictate what kinds of logs and data you will need to store for impacted entities, as well as how long that data will need to be retained. There will be a precise methodology in place for how to ensure the logs remain available to select government agencies for reporting, yet also confidential to protect personally identifiable information. The precise details around this section should be finalized within the next two years. 

Section 112. Ongoing threat hunting program

This section states that covered entities must “establish a program to provide ongoing, hypothesis-driven threat hunting services on the network of each agency.” They will need to be able to report on what these activities are, what threats or vulnerabilities they may have revealed, as well as anything learned from these threat hunting activities.

Threat hunting is part of a more proactive approach to cybersecurity. This section shows that lawmakers are no longer satisfied with entities simply waiting for an attack and responding as necessary. This creates many opportunities for cybersecurity-focused MSPs who can provide these threat hunting services.

Section 114. Implementing Zero Trust architecture

Zero trust is a methodology that increases internal network system security by assuming that no software, user, or data can be assumed safe or legitimate. As part of this approach, only those who need access should have it. All told, this means that users, admins, and applications can only access the areas of the network that are essential to their role.

In short, the Act outlines that IT departments should:

• Establish a team or dedicate resources to identifying, isolating, and removing threats as quickly as is practical. In many cases, the MSP or MSSP will satisfy this suggestion by assuming that responsibility. 
• Stop thinking about networks as trusted, and instead “assume access” and always implement controls based on the assumption that there is a risk or threat.
• Embrace the Principle of Least Privilege when creating information security programs and managing administrative access.
• Use methods and architecture that limit lateral movement across a network, for example using micro-segmentation.

Partnering with NinjaOne

NinjaOne is here to help MSPs manage their business efficiently and securely. Thousands of users rely on our cutting-edge RMM software to navigate the complexities of modern IT management. 

Not a Ninja partner yet? We still want to help you grow your business! Visit our blog for MSP resources and helpful guides, sign up for Bento to get important guidance in your inbox, and attend our Live Chats for one-on-one discussions with channel experts. 

If you’re ready to become a NinjaOne partner, schedule a demo or start your trial to see why over 9000 customers have already chosen Ninja as their partner in security and remote management.