Managed service providers (MSPs) must navigate a complex patchwork of international, national, and local cybersecurity laws and regulations, and soon, there will be even more rules to follow.
On October 3, 2023, the Federal Acquisition Regulation (FAR) Council released two new proposed cybersecurity rules. Both of the rules are ones that MSPs are going to have to familiarize themselves with and stay on top of because they will likely turn into requirements. “The government has become increasingly active in cybersecurity regulation. Some say it’s too little too late. Others welcome it,” says Gary Farber, a cybersecurity and legal analyst in Minneapolis.
Farber says these two regulations proposed by the FAR Council would have a wide-reaching impact on MSPs.
- Cyber Threat and Incident Reporting and Information Sharing: This regulation would require contractors to report cybersecurity incidents to the government and share information about cyber threats with other government contractors.
- Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems: This regulation would standardize the cybersecurity requirements for contractors that handle unclassified federal information.
Compliance presents challenges for smaller organizations
“The proposed reporting requirement is the government’s attempt to create a clearinghouse for incidents to help with response times,” Farber explains. However, the new rules would require reporting within eight hours of an incident.
“That may prove tough to comply with for some smaller organizations,” Farber warns, adding that there may also be disagreement about what constitutes an “incident.” The reporting also comes with several other proposed elements, including contractors developing software bill of materials (SBOM), CISA engagement, contractor access, and staying on top of compliance while working in a foreign country.
“These are wide-ranging reporting requirements, and MSPs need to stay on top of these sweeping proposals,” Farber says. “The good news is that MSPs do a lot of these already, so the change won’t be drastic for those MSPs.”
The Unclassified Federal Information Systems overhaul also has several vital pieces worth examining, Farber says. The proposed rule provides cybersecurity policies, procedures, and requirements for contractors that develop or maintain a Federal Information System (FIS). “The part that will generate the most discussion is what will define FIS,” adds Farber.
As the proposed rule is written, FIS is an information system used or operated by an executive agency, by a contractor of an administrative agency, or by another organization on behalf of an executive agency. The rule also provides requirements for systems using non-cloud computing services and systems using cloud computing services under two new FAR clauses: “Federal Information Systems Using Non-Cloud Computer Services” and “Federal Information Systems Using Cloud Computing Services.”
MSPs must focus on the fundamentals
“Contractors that use both on-premises and cloud computing services must comply with the requirements of both sets of policies, as applicable,” Farber notes. But he goes on to add, “There are broad interpretations of what counts as an FIS or what doesn’t, and that will have to be worked out.”
Even FAR’s interpretation of what counts as IT or technology can be very broad. One excerpt from the proposed rule describes it as:
FAR 2.101 currently defines information and communication technology as information technology and other equipment, systems, technologies, or processes, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content. Examples include, but are not limited to, the following: Computers and peripheral equipment; information kiosks and transaction machines; telecommunications equipment; customer premises equipment; multifunction office machines; software; applications; websites; videos; and electronic documents.
“That would seem to cover almost everything electronic,” Farber says. Still, he expressed that many reporting requirements and new rules aren’t onerous if MSPs focus on the fundamentals.
According to Farber, MSPs should take these steps to make sure compliance is easier:
- Risk Assessment and Management: Farber encourages MSPs to conduct regular risk assessments to identify vulnerabilities and threats to the information systems. “Develop a robust risk management plan that includes preventive and corrective measures, which needs to be done regardless of rules. You can never do too much risk assessment,” he says.
- Education: All staff, including non-IT employees, must receive appropriate training. Farber advises, “This makes the whole organization stronger and ready to comply with new requirements.”
- Security Controls Implementation: Farber strongly suggests monitoring access controls, data encryption, and network security. Implement appropriate technical, administrative, and physical security controls to protect sensitive data. This may involve access controls, data encryption, network security, and incident response conducted to assess the effectiveness of security measures and ensure compliance.
- Third-Party Vetting and Compliance: Ensure that any third-party vendors or contractors comply with FISMA This includes assessing their security protocols and conducting regular audits to verify compliance.
The new reporting will grant broad access to the federal government into the cybersecurity ecosystems of any company connected to a federal contract. “This can be a slippery slope, and there hasn’t been a lot of discussion about safeguards from government overreach,” Farber concludes.
Photo: 3rdtimeluckystudio / Shutterstock