What do you know about the Strengthening American Cybersecurity Act of 2022? President Joe Biden helped pass the bill through into law back in March, and it’s an example of how governments are taking cybersecurity a whole lot more seriously than they have done in the past.
In part due to the increase in cyberattacks during COVID-19, the government wants to make sure that any business that could have an impact on critical infrastructure knows how to shore up its defenses and report accurate and supportive information if the worst occurs.
This includes Managed Service Providers, so here’s what you need to know.
Who does this new law impact?
The Cybersecurity and Infrastructure Agency, also known as CISA will be responsible for codifying exactly who counts as “covered entities” within the new law, and we won’t have a full list until 2024. However, if we look at previous directives that use this language, then we’ll see that critical infrastructure is usually defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
In this previous directive, industries have included a wide range of verticals. Some will be obvious such as government facilities, defense, energy and chemical, transportation, and emergency services. Others might surprise you, including communications and manufacturing, food and agriculture, and financial services.
The one that matters here is under the umbrella of Information Technology. This means that MSPs and IT service providers all need to pay close attention to this new law, and even more so if they are working for customers in another covered area, such as MSPs who work with healthcare providers, or those that have clients in the Financial Services space.
What do I need to do as an MSP?
If a cyber incident occurs, MSPs will need to make it part of their incident response plan to report all details to CISA within 72 hours of the discovery. If a ransomware payment is made, the reporting needs to be completed within 24 hours. The specific kind of cyber incident is not yet completely clear, but the act includes any incident that:
- “leads to substantial loss of confidentiality, integrity, or availability of an information system or network, or a serious impact on the safety and resiliency of operational systems and processes”
- Causes a “disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero-day vulnerability,”
- This leads to “unauthorized access or disruption of business or industrial operations due to compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or due to a supply chain compromise.”
As you can see, managed service providers are specifically mentioned in the final item on the list, making this particularly relevant. When you send the report to CISA, you’ll need to include:
- A description of the event
- Which vulnerabilities were exploited
- What defenses were in place and how they were sidestepped
- The TTPs (Tactics, Techniques, and Procedures) of the attackers
- Any ransomware payments that have been made to the attackers
Specific requirements that may relate to Managed Service Providers
To make things easier for MSPs, we’ve highlighted four key areas of the new law which may be of special interest to your business. We recommend you look over the whole law in detail here so that you can be clear on your obligations.
Section 118. Quantitative cybersecurity metrics
In section 118, the act discusses the metrics that an MSP would need to collect which relate to cybersecurity. This should prompt MSPs to ensure they can measure data related to intrusion, incident detection, and response times. In particular, the act describes three types of tests that should be completed to gain these metrics:
- Penetration tests validate whether the metrics are accurate, for example how quickly an incident can be alerted to within a network.
- Analysis capacity to analyze trends and incident response capabilities in more detail across all customers.
- Tests to ensure that the MSP can access time-based metrics, showing how quickly a business can respond to a threat.
Section 123. Federal cybersecurity requirements
Under the section of the act around federal cybersecurity requirements, you’ll find the details you need if you want to apply for an exemption. You’ll need to be able to prove to CISA that the operational requirements for reporting or any other ruling are “excessively burdensome to implement” as well as not being necessary in order to secure the information or data that you’re holding. You must also include in your request proof that your agency has taken their own necessary steps in order to secure the agency information.
The exemption, if granted, will usually only last one year, at which point you’ll need to apply for a renewal.
Section 203. Cyber incident reporting
This section of the act discusses the processes for cyber incidents and ransomware payment reports. The full details of covered entities and the types of cyberattacks that will need reporting will be released by CISA within 24 months. However, the act specifically mentions “unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.”
MSPs will also be asked to consider and track the sophistication or novelty of the attacker’s TTPs, the type, volume, and sensitivity of the data under attack, the number of individuals impacted (both directly and indirectly), and the potential impact on what the government calls industrial control systems. MSPs will not need to report when a hack or attack is done under a “white hat” umbrella, either for penetration testing or other forms of good faith.
MSPs will need to be able to report:
- A description of the attack: How the information systems, networks, or devices were impacted, how the business has been disrupted and how the access occurred, the date range of the incident, and the impact on operations.
- A description of the vulnerabilities: What were the vulnerabilities and how have they been exploited, including all known TTPs (Techniques, Tactics, and Procedures).
- The data impact: What data has been accessed or acquired as a result of the attack, including categories of data such as PII or HIPAA-covered data.
- Details about your business: Your name, legal identifiers, state or region of incorporation, and contact information so that you can assist with compliance and incident response.
A similar report will be required for a ransomware attack, including details about the hackers if available, and any information about a ransom — for example payment instructions or currency requests.
The final section of 203 discusses voluntary reporting, allowing MSPs to report any cyber incidents that are not covered under this ruling, simply to help the government with its awareness of cyber threats. If you would like to voluntarily report any information, your business will be covered against liability in the same way as it is for covered attacks.
Section 206. Ransomware threat mitigation activities
In Section 206, the act turns to ransomware threat mitigation. Here, MSPs need to remember that ransomware is one of the largest threats facing supply chains today, and they can read how the government is approaching this critical area of cybersecurity, alongside the FBI and a new Joint Ransomware Task Force. This task force will be able to prioritize intelligence-driven operations, consult with various third parties to get insight and further input, identify the highest threats, and collate metrics that can be used to disrupt ransomware activities and share trends in the wider industry.
It is likely that this information will be gathered and dispersed to supply chain leaders such as MSPs and other covered entities in order to adapt processes, collect the right metrics, and better protect themselves against ransomware moving forward.
Why should MSPs care about remaining compliant?
The truth is, like all other compliance regulations, the Strengthening American Cybersecurity Act is in the best interests of your business. By collecting the right information, monitoring and logging for unusual behavior, and quickly reporting any incidents — you help to keep your whole supply chain safe. After all, if an attack occurs, it’s likely to be your business that pays the price. The government is incentivizing companies to remain compliant by promising that they will remain exempt from any civil suit brought against them, for example by those whose data has been stolen due to vulnerabilities in your network or infrastructure. All information given to CISA under this act will be protected information, and unavailable to the public.
On the other side of the coin, you can get in a lot of trouble for not complying with the new act. CISA can force you to provide information with a subpoena, and if the Dept of Justice gets involved, your business could be fined, and you might even be tried in a criminal proceeding.
How can Atera support Managed Service Providers with the Strengthening American Cybersecurity Act?
You’ll need to think hard about your IT stack, and what technology you’ll need to ensure you remain compliant with the relevant elements of the act, but Atera is here to help!
We partner with many feature-rich cybersecurity vendors who can help you with elements of compliance, tracking the right metrics, holding logs and event records so that you can find all the information you need for reporting, and protecting data with backups, encryption, and intelligent storage. We hope that partners such as Malwarebytes will ensure that ransomware never darkens your doors, but if the worst occurs — they will provide full visibility of threats so that you can quickly hold up your end of the compliance bargain.
No matter what elements of the act you need to comply with, Atera has your back. We’re fully committed to supporting your compliance journey, and we’re here to answer any questions you might have. In the meantime, don’t forget to check out our full list of cybersecurity integrations, so that you can work out what best suits your network and your customer environments.
Want to make as sure as you can that cyber-incident reporting is never your headache to handle? Hear from our CISO Oren Elimelech, in his recent webinar on staying safe from disruptive cyber attacks.