The President of the United States recently signed into law the Strengthening American Cybersecurity Act of 2022 (SACA). SACA is just one of many recent laws enacted to bolster cybersecurity, and something that MSPs need to have on their radar and pay special attention to.
SACA puts federal reporting muscle behind creating a better cybersecurity reporting system. The reporting will be administered by The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The idea behind this is that if there is a central clearinghouse to collect data about breaches, patterns, and hacker methodology, breaches can be detected and stopped sooner. However, SACA is one of the few pieces of legislation that specifically includes MSPs.
SACA – Let’s talk about the specifics
“Most laws are general catch-alls, but this is very specific, which is why MSPs should pay attention,” advises Chris Walters, a cybersecurity attorney in Los Angeles.
This new law even defines what an MSP is:
“(12) MANAGED SERVICE PROVIDER. —The term ‘managed service provider’ means an entity that delivers services, such as network, application, infrastructure, or security services, via ongoing and regular support and active administration on the premises of a customer, in the data center of the entity (such as hosting), or in a third-party data center.”
If your MSP fits the above definition, then SACA will apply to you. SACA requires the reporting of cybersecurity incidents to a central clearinghouse. But not every incident will need to be written up. “Covered incidents” include:
“i) a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
“(ii) a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero-day vulnerability, against
“(I) an information system or network; or
“(II) an operational technology system or process
Similar to all laws, there will be trial and error and legal challenges, but the best way to handle this is to get out in front and have a plan in place,” Walters says.
You’ve got time, but don’t become complacent
There is some good news: while the law was signed in March, it will be some time before all of the law’s “plumbing” is in place.
“While the law has been passed, it will be 18 to 24 months before the final process on reporting, and precisely which incidents are covered will be spelled out, so MSPs have time. Still, it’s never too early to begin preparing,” Walters explains.
So, it remains to be seen what the final criteria will be for an incident to reach the threshold where reporting is required. If no damage is done and the client isn’t in critical infrastructure (like the corner pizza parlor or the local veterinarian’s office), a report won’t be needed. But that guidance is still forthcoming.
Yet, SACA’s early outline names businesses in the following verticals as comprising “critical” infrastructure: dams, chemical plants, utilities, food, healthcare, and transportation to name a few, so it will be a wide umbrella.
Walters recommends that MSPs begin talking to clients now, especially those in critical infrastructure or those that receive federal contracts to start planning for the required SACA reporting.
“The worst thing an MSP can do now is just figure well, the law won’t take effect for two more year so let’s deal with it then.” Walters warns.
Some specifics are already published, and those are the ones that MSPs and their customers should begin looking at immediately. For instance, it isn’t known what the final look of the “reporting” will be, but SACA does spell out some items that will need to be included.
Among the items of information:
- A description of the covered incident or ransomware attack
- A description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures, used to perpetrate the cyber incident or ransomware attack
- Any identifying or contact information related to each actor reasonably believed to be responsible for such cyber incident or ransomware attack
- For cyber incidents, the category or categories of information that were, or are reasonably believed to have been, subject to unauthorized access or acquisition
- For ransomware payment, the date of the ransom payment, ransom payment demand, ransom payment instructions, information regarding where to send the payment and amount of the payment
- Identification information of the impacted entity
- Contact information for the impacted entity or an authorized agent of the entity
“The guidance in the new law indicates that the federal government is going to start paying a lot more attention to ransomware: who is demanding it, how much, and where it is going,” Walters says.
Another aspect of the law explicitly grants MSPs to act as the reporting agency to the federal government for a client.
“I have a feeling that many short-staffed companies will just rely on their MSP to make the report as allowed under SACA,” Walters says. He adds that MSPs need to talk to their customers now and build a seamless, streamlined incident reporting apparatus so that everyone is ready when SACA takes full effect.
Photo: Andrey_Popov / Shutterstock