Cybersecurity is changing, and increasing government legislation is proving the importance that all businesses should be placing on protecting themselves and their businesses against cyberattacks.
A landmark example is the Strengthening American Cybersecurity Act of 2022, signed by President Joe Biden into law in March 2022. The bill was passed unanimously, despite similar bills not making it through in recent years. This shows how the threat landscape has changed dramatically since COVID-19, and the seriousness that all businesses should take to keep their networks secure.
What does this new law mean for IT departments? Atera investigates.
Who does the law impact?
The law keeps the answer to this pretty broad, saying that all “covered entities” need to stay in line with the requirements of the law. So, what is a covered entity exactly?
At first glance, IT departments might think that they are not regulated by this new law. After all, the act is about organizations that qualify as “critical infrastructure”, to be defined by the Cybersecurity and Infrastructure Security Agency (CISA). This ruling will be announced within 24 months.
The Act refers specifically to the Presidential Policy Directive 21, created in 2013, which defines the critical infrastructure sector as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
The Directive includes the following industries:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Waste and Wastewater Systems
As you can see, Information technology is called out specifically, which makes it pretty likely that many IT departments will need to govern themselves by this new law. In addition, some MSPs and IT service providers will be impacted doubly by the new law, as they may be working in IT for another covered entity, such as healthcare, communications, financial services, or defense.
What does the law dictate for covered entities?
These covered entities will need to report to CISA within a specific timeline, namely 72 hours after a cyber incident has been discovered, and within 24 hours after a ransomware payment.
Again, the language here is not specific yet and leaves it up to CISA to decide what a “covered cyber incident” will be, as well as how these reports will need to be submitted and handled.
According to the Act itself, we do know that it will include incidents that:
- “leads to substantial loss of confidentiality, integrity, or availability of an information system or network, or a serious impact on the safety and resiliency of operational systems and processes”
- Causes a “disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero-day vulnerability,”
- This leads to “unauthorized access or disruption of business or industrial operations due to compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or due to a supply chain compromise.”
In these reports, organizations will need to include a description of the event, an outline of which vulnerabilities were exploited, and also what defenses were in place to prevent the attack from occurring. CISA will also ask for the TTPs, (Tactics, Techniques, and Procedures) used by the attackers to achieve the incident.
If you make any ransomware payments, this will also need to be reported in detail. This information will need to be provided within hours and days of the incident being discovered, highlighting the importance of partnering with cybersecurity vendors and tools with strong incident response, monitoring and logging capabilities.
Specific requirements that may relate to I.T. departments
If you want to deep-dive into specific clauses of the act, here are five sections that may be relevant for your business.
Section 107. Agency requirements to notify private sector entities impacted by incidents
In this section, covered entities are told that they must report incidents that may affect the confidentiality or integrity of sensitive information related to a statutory or regulatory requirement, as well as any incident that may impact information systems used to transmit or store sensitive information.
Section 108. Mobile security standards
In this section of the act, the guidance is that IT departments should be evaluating their mobile application security, and following advice to maintain a continuous inventory of all mobile devices operated by the business, and any vulnerabilities identified that are related to mobile devices.
On top of this, continuous evaluation of mobile security posture should be part of the cybersecurity process, and where relevant the data should be able to be shared with CISA using automation as far as is practical.
Section 109. Data and logging retention for incident response
Relevant IT departments will be told within 2 years what kinds of logs and data they will need to store, as well as how long the data will need to be retained. There will be a precise methodology in place for how to ensure the logs remain available to the right government agencies for reporting, yet also confidential to protect personally identifiable information.
Section 112. Ongoing threat hunting program
Covered entities will need to “establish a program to provide ongoing, hypothesis-driven threat hunting services on the network of each agency.” They will need to be able to report on what these activities are, what they have uncovered, as well as the lessons learned from taking these threat hunting activities.
Threat hunting is a step further than even preventive cybersecurity. While traditionally businesses could do nothing but sit and wait for an attack, most organizations today have proactive support in place to spot the first signs of a cyber threat. However, threat hunting means techniques to go looking for the attackers and find their agenda even before it starts to show those initial indicators of compromise.
Section 114. Implementing Zero Trust architecture
Zero trust is a powerful method of increasing internal network system security. The basic idea is that only those who need access, have it. That means that users, applications, and even data itself can only access the areas of the network that are essential to perform its role.
The Act outlines that IT departments should:
- Stop thinking about networks as trusted, and instead “assume access” and implement controls based on the assumption that there is a compromise.
- Use the Principle of Least Privilege when you create information security programs, to keep access at a minimum for all users.
- Use systems to limit lateral movement across a network, for example using micro-segmentation.
- Put in place an agency that allows incidents to be identified, isolated, and removed as quickly as is practical, including channeling greater resources to this area.
The importance of remaining compliant
When it comes to the Strengthening American Cybersecurity Act, there are both sticks and carrots involved in remaining compliant with reporting obligations. First of all, CISA has a lot of control to request information from a covered entity, including subpoenas where necessary. If a business didn’t comply, this would be punishable similarly to contempt of court. This could be escalated to the Department of Justice for regulatory enforcement using fines, penalties, and even jail time.
On the other side of the coin, if your company gets in line and submits its compliance reports, they will be given a certain level of protection by the government. For example, they would be exempt from any civil suit, and the information they provide couldn’t be used against them, even if the vulnerability had occurred due to a mistake on the part of the business. This would count as protected information, and even the public wouldn’t be able to access it.
How can Atera support I.T. departments with the Strengthening American Cybersecurity Act?
At Atera, we partner with many robust cybersecurity vendors who include these features as standard. For example, Bitdefender’s Threat Intelligence includes advanced threat hunting capabilities, with Indicators of Compromise that are gathered from an intensely wide range of sources, including web crawlers, email traps, honeypots, botnets, and third-party data such as law enforcement data. BitDefender even has its own virtual machine farm, executing hundreds of thousands of malware samples daily. This is helpful for Section 112.
Ironscales is another of our security partners that implements a zero-trust approach to email security. “Assume the phish” is the exact approach that section 114 is discussing when they talk about moving away from trusted networks and communications.
It’s up to each business to look into their networks and see whether any of their customers count as covered entities, as well as deep dive into its own processes to be ready for compliance with this new act as an IT provider.
Atera is here to help! Our cybersecurity integrations have a wide range of features and tools that meet the emerging guidelines, and we’re committed to helping our users to meet and exceed their compliance regulations in all areas.
Want to learn more about cybersecurity best practices? Hear from our CISO, Oren Elimelech, in his recent webinar on staying safe from disruptive cyber attacks.