For MSPs, detecting and documenting cybersecurity incidents has always been important. But now, it’s a formal legal requirement in some cases, thanks to the recently enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022.
The new law, which is a response to the recent spate of cyberattacks and ransomware incidents, mandates that companies report certain types of security incidents to the U.S. federal government within 72 hours of discovery of the incident, and 24 hours if they make a ransomware payment. This reporting requirement legislation was passed as part of the omnibus spending bill that Congress approved in March 2022.
Keep reading for details on the law’s requirements, and what they mean for MSPs.
What is the Cyber Incident Reporting for Critical Infrastructure Act of 2022?
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a law that requires businesses that own or manage “critical infrastructure” to report security incidents to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The U.S. federal government passed the law in March 2022.
Under the law, businesses need to notify CISA when they experience an incident involving at least one of the following:
- (i) Unauthorized access to an information system or network that leads to loss of confidentiality, integrity, or availability of such information system or network, or has a serious impact on the safety and resiliency of operational systems and processes.
- (ii) Disruption of business or industrial operations due to a denial of service attack, a ransomware attack, or exploitation of a zero-day vulnerability, against—
- (I) an information system or network; or
- (II) an operational technology system or process.
- (iii) Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by a compromise of, a cloud service provider, managed service provider, other third-party data hosting provider, or supply chain attack.
These requirements are included in the text of the law.
What Information Must be Reported to CISA?
It remains to be seen exactly how CISA will interpret the law, so it’s unclear at this point what the specific reporting requirements will be. However, the act establishes certain minimum reporting requirements; it says that reports for a cyber incident report will include the following, if “applicable and available”:
- A description of the covered incident.
- A description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber-incident.
- Any identifying or contact information related to each actor is reasonably believed to be responsible for the cyber-incident.
- The category or categories of information that were, or are reasonably believed to have been, subject to unauthorized access or acquisition.
- Information about the affected entity, including state of incorporation or formation, legal entity name, trade names, or other identifiers.
- Contact information for the covered entity or an authorized agent of the entity.
Which Companies will be Affected by the CISA 2022 Act?
The law applies to businesses that maintain what the government calls critical infrastructure. It’s likely that CISA will interpret this term broadly and that a variety of businesses across many industries will therefore be treated as “covered entities” (meaning they are subject to the requirements of the law).
At a minimum, CISA will likely define covered entities to encompass the sixteen sectors currently defined as “critical infrastructure” industries under Presidential Policy Directive 21:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation System
- Water and Wastewater Systems
What Does the CISA Law Mean for MSPs?
Although MSPs may not directly operate critical infrastructure, the law has important ramifications for many MSPs.
That’s because MSPs may provide services to other businesses that do operate critical infrastructure and are therefore considered covered entities. Such MSPs may be the first to discover cyber incidents involving critical infrastructure. They may also be required to help generate reports about those incidents, since MSPs are likely to have knowledge of the technical context behind an incident.
So, if you’re an MSP, now is the time to start preparing for the Cyber Incident Reporting for Critical Infrastructure Act. Start by determining whether any of your clients are considered covered entities. Make sure, too, that you have a plan in place for recording and reporting the information that the law requires following an incident.
It’s also worth thinking strategically about which information not to report. It’s important to disclose all of the information that the law requires, but as a best practice, you should not divulge more than necessary, because doing so could expose your clients to additional risk. CISA has the power to request additional information following a report, but you need not share extra information unless required.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 promises to help shore up the cyberdefenses of a variety of businesses, and reduce the risk of further incidents like the SolarWinds and Microsoft hacks of recent years. The law will help CISA to identify cyberattack trends and provide support for businesses to stop them.
As an MSP, you have an important role to play in operationalizing the act. The law makes it more important than ever to record information about cyber incidents systematically, and to be prepared to report this information in the manner required by the government.