How the Strengthening of the American CyberSecurity Act Affects MSPs in 2023

How the American cybersecurity act affects MSPs blog banner

President Joe Biden signed the Strengthening American Cybersecurity Act into law in March of 2022. The Act consists of various regulations, but it’s the security incident reporting requirements that are creating a stir in the IT community. Currently, the reporting requirements are focused on critical infrastructure, but there is a great deal of potential that entities in various industries could ultimately be subject to these requirements.

As of the time of this writing, there is still time for the details of the Act to change. This is because the Act requires the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to publish a notice of proposed rulemaking within 24 months after the date of the Act’s signing. The Director then has 18 months to issue a finalized rule for implementation. 

What this means is that there’s some fluidity to the description of what constitutes a “covered entity,” and the type of businesses that will be subject to the Act could change based on the Director’s ultimate decisions. 

There’s a lot of speculation about what this will mean to IT providers in the long run, but the safe assumption has been to prepare for any sector that falls even loosely under the “critical infrastructure” definition to be subject to these requirements. 

In this article, we’ll discuss the basics of the recently passed Cybersecurity Act and how MSPs can navigate the changes that come along with it. 

What is the Strengthening American CyberSecurity Act of 2022?

On March 1, the U.S Senate passed a bill affecting the security posture of federal agencies and critical infrastructure organizations. 

Garnering unanimous support, the Strengthening American Cybersecurity Act of 2022 establishes reporting requirements for “covered entities” and critical infrastructure — all with the purpose of bolstering the cyberdefense of American infrastructure. 

The Strengthening American Cybersecurity Act of 2022  (referred to as the “Act” in this article) is comprised of three regulations:

This legislation largely concerns critical infrastructure, but it most likely heralds a trend. Certainly, similar regulations will be brought to bear in the future, and growing government interest in digital security will lead to widespread implications for the future. 

This comes as no surprise as attacks and vulnerabilities that affect critical infrastructure are making news headlines at an alarming rate. 

What this regulation means for Managed Service Providers

In its current state, the law creates a lot of questions for MSPs. The simple fact that “covered entities” are vaguely defined — and will probably change in the future — makes it difficult for IT providers to wrap their heads around the implications. 

In fact, many IT departments and MSPs have concluded that they are not regulated by this new law at all. However, they’re probably missing a critical detail in that assessment:

The Act makes a direct reference to Presidential Policy Directive 21, created in 2013. This policy defines the critical infrastructure sector as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

More directly, Policy Directive 21 spells out the following industries:

  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Chemical
  • Commercial Facilities
  • Communications
  • Transportation Systems
  • Waste and Wastewater Systems
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Nuclear Reactors, Materials, and Waste

The Information Technology sector is named specifically, which means that IT departments and MSPs will fall subject to this new law. 

This also means MSPs and IT service providers will get the “double whammy” if they’re providing services for another covered entity, such as healthcare, communications, financial services, or defense. They will need to ensure their affected clients adhere to the law as well as their own business.

Reporting of cybersecurity incidents

A key part of the Act involves the creation of a clear path of reporting requirements to CISA. The path as defined facilitates a cross-functional sharing of information between CISA and other federal agencies such as the FBI. In effect, these requirements will allow the agencies to collect data and identify the threat actors more quickly. In addition, this act spells out the minimum reporting requirements for both ransomware payments and other cybersecurity incidents.

In the case of a cybersecurity incident, the Act requires the following measures:

  • A notice should be given to CISA within 24 to 72 hours.
  • This notice must include a comprehensive description of the incident and the vulnerabilities exploited, as well as any defenses that were in place when the incident occurred.
  • The report must disclose the type of information that may have been compromised.
  • Any contact information or any other additional information about the responsible parties (the attacker) should be disclosed.
  • Contact details for the impacted organization should be shared by CISA.
  • If a ransomware attack is being reported, the disclosure of the date of payment, payment instructions, ransom payment demand, and the ransom amount should be included.

As you can imagine, these requirements will put a strain on many organizations who lack the ability to quickly identify a breach and classify it before reporting it. 

We all know that larger enterprises can afford the in-house IT staff or a managed service provider that are capable of reporting these incidents quickly and efficiently, but smaller companies may not have this capacity. It’s even less likely that the average SMB would know how to collect the relevant information and submit a report on their own. 

Risk assessment and mitigation

While the Strengthening Cybersecurity Act of 2022 may not immediately affect entities operating outside critical infrastructure, MSPs should educate all of their clients that protecting cybersecurity is a crucial step in risk assessment and mitigation.

The standards defined in this Act will probably affect the private sector sometime in the future. This is a step in the right direction for security, and businesses should start preparing by assessing their cybersecurity risks and taking the necessary steps to address them before new regulations come into effect. 

Some best-practices that every enterprise should consider include:

  • Embracing zero trust architecture and access control: Many organizations still operate with unrestricted access to sensitive data and systems. By implementing zero trust and configuring access control using the principle of least privilege, they can restrict access to networks and the ITl environment and minimize their overall risk.
  • Improving mobile and remote security: The prevalence of the remote work environment and Bring Your Own Device (BYOD) policies have created additional risks to many businesses. Because cybercriminals often target mobile devices and remote workstations, users should take the appropriate measures to secure these threat surfaces. 
  • Mitigation of the most common threat vectors: Simple steps toward better security practices can be a game changer for many SMBs. Implementing a password manager, enabling multi-factor authentication wherever possible, and providing cybersecurity training can reduce a business’ cyber risk significantly.

Additional considerations

We’re starting to see more standardization in how organizations prevent and remediate cybersecurity incidents across the board. The signing of this Act carries a few additional implications that are worth considering.

The FedRAMP was created to facilitate the adoption and use of cloud technologies by the federal government, and helps agencies implement modern cloud technologies with an emphasis on security. The rollout of the Strengthening American Cybersecurity Act of 2022 creates an opportunity for Federal Risk and Authorization Management Program (FedRAMP) organizations to move toward cloud-based technologies. 

We assume that regulations surrounding the private sector are already in the works, although it could be years before we see anything in writing. That said, we know that the security and reporting requirements outlined by law are often cost prohibitive for smaller organizations, there may soon be a need for the government to subsidize the funding of monitoring and remediation.

Many agree that a tax incentive for SMBs that bolster their cybersecurity could be on the way. This would likely be a boon to managed service providers who often struggle to convince clients that cybersecurity costs are justified. 

How do MSPs remain compliant with the American CyberSecurity Act of 2022?

The Strengthening American Cybersecurity Act carries both penalties for non-compliance and benefits for meeting the requirements. 

In terms of the MSP’s responsibility, it’s important to note that CISA has a great deal of power to request information from a covered entity, including the power to issue subpoenas. If a business or MSP doesn’t comply with CISA’s investigations, the case could be escalated to the U.S. Department of Justice for regulatory enforcement using fines, penalties, and even incarceration.

The other side of it is that compliant entities will receive a certain level of protection from the government. By maintaining compliance, a business would be exempt from any civil suit, and the information they provide couldn’t be used against them, even if the vulnerability had occurred due to a mistake on the part of the business. 

To better understand how the Act could affect your MSP, let’s take a look at five specific sections:

Section 107. Agency requirements to notify private sector entities impacted by incidents

This section outlines how covered entities must report incidents that may affect the confidentiality or integrity of sensitive information, particularly information related to a statutory or regulatory requirement. This section also describes the reporting requirements around incidents that may impact information systems used to transmit or store sensitive information.

Section 108. Mobile security standards

This section concerns the evaluation of mobile application security, and gives guidelines on maintaining a continuous inventory of all mobile devices operated by the business. Naturally, it outlines the desired mobile security posture and how relevant data should be shared with CISA using automation (when applicable).

Section 109. Data and logging retention for incident response

The details are still in the works, but the Act will ultimately dictate what kinds of logs and data you will need to store for impacted entities, as well as how long that data will need to be retained. There will be a precise methodology in place for how to ensure the logs remain available to select government agencies for reporting, yet also confidential to protect personally identifiable information. The precise details around this section should be finalized within the next two years. 

Section 112. Ongoing threat hunting program

This section states that covered entities must “establish a program to provide ongoing, hypothesis-driven threat hunting services on the network of each agency.” They will need to be able to report on what these activities are, what threats or vulnerabilities they may have revealed, as well as anything learned from these threat hunting activities.

Threat hunting is part of a more proactive approach to cybersecurity. This section shows that lawmakers are no longer satisfied with entities simply waiting for an attack and responding as necessary. This creates many opportunities for cybersecurity-focused MSPs who can provide these threat hunting services.

Section 114. Implementing Zero Trust architecture

Zero trust is a methodology that increases internal network system security by assuming that no software, user, or data can be assumed safe or legitimate. As part of this approach, only those who need access should have it. All told, this means that users, admins, and applications can only access the areas of the network that are essential to their role.

In short, the Act outlines that IT departments should:

  • Establish a team or dedicate resources to identifying, isolating, and removing threats as quickly as is practical. In many cases, the MSP or MSSP will satisfy this suggestion by assuming that responsibility. 
  • Stop thinking about networks as trusted, and instead “assume access” and always implement controls based on the assumption that there is a risk or threat.
  • Embrace the Principle of Least Privilege when creating information security programs and managing administrative access.
  • Use methods and architecture that limits lateral movement across a network, for example using micro-segmentation.

Partnering with NinjaOne

NinjaOne is here to help MSPs manage their business efficiently and securely. Thousands of users rely on our cutting-edge RMM software to navigate the complexities of modern IT management. 

Not a Ninja partner yet? We still want to help you grow your business! Visit our blog for MSP resources and helpful guides, sign up for Bento to get important guidance in your inbox, and attend our Live Chats for one-on-one discussions with channel experts. 

If you’re ready to become a NinjaOne partner, schedule a demo or start your trial to see why over 9000 customers have already chosen Ninja as their partner in security and remote management.

Next Steps

The fundementals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.
Learn more about NinjaOne Protect, check out a live tour, or start your free trial of the NinjaOne platform.

You might also like

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

Start your 14-day trial

No credit card required, full access to all features

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).