{"id":53799,"date":"2022-04-27T16:52:50","date_gmt":"2022-04-27T12:52:50","guid":{"rendered":"https:\/\/www.msp360.com\/resources\/?p=53799"},"modified":"2024-08-14T12:25:58","modified_gmt":"2024-08-14T08:25:58","slug":"an-msps-guide-to-the-cyber-incident-reporting-for-critical-infrastructure-act-of-2022","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/an-msps-guide-to-the-cyber-incident-reporting-for-critical-infrastructure-act-of-2022\/","title":{"rendered":"MSP Guide for Cyber Incident Reporting and Critical Infrastructure Act"},"content":{"rendered":"<p>For MSPs, detecting and documenting cybersecurity incidents has always been important. But now, it\u2019s a formal legal requirement in some cases, thanks to the recently enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022.<!--more--><\/p>\n<p>The new law, which is a response to the recent spate of cyberattacks and ransomware incidents, mandates that companies report certain types of security incidents to the U.S. federal government within 72 hours of discovery of the incident, and 24 hours if they make a ransomware payment. This reporting requirement legislation was passed as part of the omnibus spending bill that Congress approved in March 2022.<\/p>\n<p>Keep reading for details on the law\u2019s requirements, and what they mean for MSPs.<\/p>\n<h2>What is the Cyber Incident Reporting for Critical Infrastructure Act of 2022?<\/h2>\n<p>The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a law that requires businesses that own or manage \u201ccritical infrastructure\u201d to report security incidents to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The U.S. federal government passed the law in March 2022.<\/p>\n<p>Under the law, businesses need to notify CISA when they experience an incident involving at least one of the following:<\/p>\n<ol class=\"c\">\n<li>(i) Unauthorized access to an information system or network that leads to loss of confidentiality, integrity, or availability of such information system or network, or has a serious impact on the safety and resiliency of operational systems and processes.<\/li>\n<li>(ii) Disruption of business or industrial operations due to a denial of service attack, a ransomware attack, or exploitation of a zero-day vulnerability, against\u2014<\/li>\n<li>(I) an information system or network; or<\/li>\n<li>(II) an operational technology system or process.<\/li>\n<li>(iii) Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by a compromise of, a cloud service provider, managed service provider, other third-party data hosting provider, or supply chain attack.<\/li>\n<\/ol>\n<p>These requirements are <a href=\"https:\/\/us.eversheds-sutherland.com\/NewsCommentary\/Legal-Alerts\/249728\/The-Cyber-Incident-Reporting-for-Critical-Infrastructure-Act-of-2022\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">included in the text of the law<\/a>.<\/p>\n<h2>What Information Must be Reported to CISA?<\/h2>\n<p>It remains to be seen exactly how CISA will interpret the law, so it\u2019s unclear at this point what the specific reporting requirements will be. However, the act establishes certain minimum reporting requirements; it says that reports for a cyber incident report will include the following, if \u201capplicable and available\u201d:<\/p>\n<ul>\n<li>A description of the covered incident.<\/li>\n<li>A description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber-incident.<\/li>\n<li>Any identifying or contact information related to each actor is reasonably believed to be responsible for the cyber-incident.<\/li>\n<li>The category or categories of information that were, or are reasonably believed to have been, subject to unauthorized access or acquisition.<\/li>\n<li>Information about the affected entity, including state of incorporation or formation, legal entity name, trade names, or other identifiers.<\/li>\n<li>Contact information for the covered entity or an authorized agent of the entity.<\/li>\n<\/ul>\n<div class=\"call-to-action\">\n<div class=\"call-to-action__left\" style=\"width: 65%;\">\n<div class=\"call-to-action__title\">Responding to a Data Breach: Guide for MSPs<\/div>\n<div class=\"call-to-action__text\">Learn how to create a flexible and robust data breach response plan and prepare for the unexpected.<\/div>\n<\/div>\n<div class=\"call-to-action__right\" style=\"width: 35%;\">\n<p><img decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2020\/05\/PDF.png\" alt=\"Whitepaper icon\" \/><\/p>\n<p style=\"text-align: center;\"><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-62d663a3-9fca-42d8-9dc3-fdc92166abc0\" data-portal=\"5442029\" data-id=\"62d663a3-9fca-42d8-9dc3-fdc92166abc0\"><span class=\"hs-cta-node hs-cta-62d663a3-9fca-42d8-9dc3-fdc92166abc0\" id=\"hs-cta-62d663a3-9fca-42d8-9dc3-fdc92166abc0\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/62d663a3-9fca-42d8-9dc3-fdc92166abc0\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-62d663a3-9fca-42d8-9dc3-fdc92166abc0\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/62d663a3-9fca-42d8-9dc3-fdc92166abc0.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/p>\n<\/div>\n<\/div>\n<h2>Which Companies will be Affected by the CISA 2022 Act?<\/h2>\n<p>The law applies to businesses that maintain what the government calls critical infrastructure. It\u2019s likely that CISA will interpret this term broadly and that a variety of businesses across many industries will therefore be treated as \u201ccovered entities\u201d (meaning they are subject to the requirements of the law).<br \/>\nAt a minimum, CISA will likely define covered entities to encompass the sixteen sectors currently defined as \u201ccritical infrastructure\u201d industries under <a href=\"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2013\/02\/12\/presidential-policy-directive-critical-infrastructure-security-and-resil\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Presidential Policy Directive 21<\/a>:<\/p>\n<ul>\n<li style=\"list-style-type: none;\"><\/li>\n<li>Chemical<\/li>\n<li>Commercial Facilities<\/li>\n<li>Communications<\/li>\n<li>Critical Manufacturing<\/li>\n<li>Dams<\/li>\n<li>Defense Industrial Base<\/li>\n<li>Emergency Services<\/li>\n<li>Energy<\/li>\n<li>Financial Services<\/li>\n<li>Food and Agriculture<\/li>\n<li>Government Facilities<\/li>\n<li>Healthcare and Public Health<\/li>\n<li>Information Technology<\/li>\n<li>Nuclear Reactors, Materials, and Waste<\/li>\n<li>Transportation System<\/li>\n<li>Water and Wastewater Systems<\/li>\n<\/ul>\n<h2>What Does the CISA Law Mean for MSPs?<\/h2>\n<p>Although MSPs may not directly operate critical infrastructure, the law has important ramifications for many MSPs.<\/p>\n<p>That\u2019s because MSPs may provide services to other businesses that do operate critical infrastructure and are therefore considered covered entities. Such MSPs may be the first to discover cyber incidents involving critical infrastructure. They may also be required to help generate reports about those incidents, since MSPs are likely to have knowledge of the technical context behind an incident.<\/p>\n<p>So, if you\u2019re an MSP, now is the time to start preparing for the Cyber Incident Reporting for Critical Infrastructure Act. Start by determining whether any of your clients are considered covered entities. Make sure, too, that you have a plan in place for recording and reporting the information that the law requires following an incident.<\/p>\n<p>It\u2019s also worth thinking strategically about which information not to report. It\u2019s important to disclose all of the information that the law requires, but as a best practice, you should not divulge more than necessary, because doing so could expose your clients to additional risk. CISA has the power to request additional information following a report, but you need not share extra information unless required.<\/p>\n<h2>Conclusion<\/h2>\n<p>The Cyber Incident Reporting for Critical Infrastructure Act of 2022 promises to help shore up the cyberdefenses of a variety of businesses, and reduce the risk of further incidents like the SolarWinds and Microsoft hacks of recent years. The law will help CISA to identify cyberattack trends and provide support for businesses to stop them.<\/p>\n<p>As an MSP, you have an important role to play in operationalizing the act. The law makes it more important than ever to record information about cyber incidents systematically, and to be prepared to report this information in the manner required by the government.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For MSPs, detecting and documenting cybersecurity incidents has always been important. But now, it\u2019s a formal legal requirement in some cases, thanks to the recently enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022.<\/p>\n","protected":false},"author":94,"featured_media":53839,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[884],"tags":[],"class_list":["post-53799","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-msp-business-articles"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/53799","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/94"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=53799"}],"version-history":[{"count":17,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/53799\/revisions"}],"predecessor-version":[{"id":58339,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/53799\/revisions\/58339"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/53839"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=53799"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=53799"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=53799"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}