Congress has set new rules for MSPs. Now what?

Matt Lee, Pax8 Senior Director of Security and Compliance
The White House with an overlay of floating locks in the foreground

How regulations will affect the cybersecurity industry.

The federal government has defined what an MSP is in their groundbreaking Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This is big news for every MSP in the market, as CIRCIA may forever change how MSPs report and manage cybersecurity. Being officially defined by Congress also means that regulators have a written definition for what your business is, potentially opening the market to oversight by regulatory bodies.

Does your business have an effective cybersecurity program? Are you capable of reporting on incidents today? Can you track your data accurately? Below, I’ll outline how to make sure you can answer these questions in the affirmative and ready your business for this change.

Why Is This Happening?

Cyberattacks by both individual actors and nation-state-backed groups have been on the rise since 2017. Due to the catastrophic potential of cybercrimes, the U.S. federal government and other agencies are starting to take action. Corporate espionage by nation-state actors for Controlled Unclassified Information (CUI), such as technical documents and blueprints, are a major source of concern for these government agencies. Especially since it may give their geopolitical competitors a leg up. China, for example, was able to create a knockoff F-35 (the Shenyang FC-31) in under four years after taking a mixture of classified information and CUI. This underscored the relative weakness of critical infrastructure throughout the U.S., such as banks, IT companies, major supply chain organizations, and hospitals. However, government agencies realized that they had no data to both address and combat this issue because organizations were hiding their incidents instead of reporting them. For this reason, Congress passed CIRCIA to ensure that any organization in critical areas that may handle support for our nation’s infrastructure is able to provide critical threat intelligence to aid in fighting this ransomware plague. Included in this list are the MSPs underpinning industries that are required to report on these incidents.

What Does This Mean for MSPs?

If you’re an MSP and have no security program, no way to report an incident, no incident response plan, and no procedures in place, then you cannot possibly meet the requirements being laid out in CIRCIA. Currently, we are in a holding period that could last until 2025 while these policies are being developed. During this time, MSPs must start establishing a cybersecurity incident response program within their organizations.

This is important because when CIRCIA implements these structural changes, you must be able to respond immediately. This will prove challenging for MSPs as many are not even set up to obtain the data they need to report incidents. Which is why learning the procedures and plans to set up an effective reporting system may take longer than expected, and also why starting now is the best, and only, option for an MSP.

As government agencies begin to develop and apply CIRCIA to MSPs and the vital role they play in countering national cyber risks, MSPs will face ever-increasing regulation to safeguard national safety and the security of businesses. Similar legislation that creates regulated guardrails like CIRCIA already exists in other sectors. One such example is the Food and Drug Act. Once that act was adopted, formalized taxonomies were put in place to ensure the safety of the public. However, when it comes to MSPs, no such uniformly accepted taxonomies exist. CIRCIA is a game-changer in this regard. It’s the first step toward holistic, industry-wide regulations for MSPs, resulting in safer, clearer standards across the board.

To provide an analogy, would you trust an unlicensed contractor with partial training to build your family home? At present, an MSP who helps organizations during cybersecurity events without having explicitly defined frameworks poses a similar risk. As this industry matures, we will see more MSPs adopting these frameworks and designing healthy cybersecurity practices for their client partners.

What Does CIRCIA Mean for the Future of MSPs?

In the next three to five years, we could see more laws that regulate MSPs to ensure they know how to produce a proper incident report and are informed about laws defining the levels of protections they need to have. As of November 2022, we are sitting in a pressurized environment that’s waiting to explode with insurance companies serving as the initial spark as they lean on MSPs to add heightened reporting and security capabilities. Insurance providers have been taking losses on cybersecurity in recent years due to a lack of actuarial data, which has led to increased demand and risk that ultimately ends up falling on the shoulders of MSPs.

Prior to CIRCIA, there was no legislation in place to combat cybercrimes, so the government had to find creative ways of regulating this industry. By applying older laws to these entities, the government has cobbled together an ad hoc (but incomplete) approach to safeguarding American businesses. One example is the False Claims Act, which the U.S. Department of Justice leveraged to sue companies, like Aerojet Rocketdyne, for claiming they had followed key regulations when they hadn’t.

So what does the future look like for MSPs? They will need to adhere strongly to functional frameworks in order to support the capabilities laid out by CIRCIA, insurance companies, and additional policies as they develop, or risk losing their practice.

What Can MSPs Do Right Now?

It’s time to take stock of where your organization is today and begin devising and implementing a policy for forward-thinking maturity. Your company doesn’t have to be the greatest provider of cybersecurity in the world, or the best at reporting — but you must be reasonable in the way you approach it. MSPs should find a framework that walks you through, such as the Critical Security Infrastructure (CIS) Top 18 or the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).

The purpose of the CIS Top 18 is for your organization to have a set of standards that are best practices for minimizing the risk and showing a healthy cybersecurity practice. These controls cover everything that your organization should be following in order to meet an acceptable level of cybersecurity and cover the main facets that every organization should have when it comes to protecting their own data. By adopting a framework in your organization that implements these controls in order and constantly iterates on them, not only will your organization be prepared to be compliant with CIRCIA, but it will also be better protected.

Sharing cyber incidents will become a key part of an MSP’s duties and those who don’t share them will fall behind. To meet these future requirements, it’s imperative that your organization work its way down the list of controls provided by the CIS Top 18 in order. To that end, the 17th control that should be met is incident response management, which encourages your organization to develop capabilities such as incident response procedures, defined roles, training, and communications. Ultimately, when it comes to implementing CIS Top 18, the goal isn’t just to be good at reporting incidents, it’s to be good at dealing with them before they even reach the stage where you need to report them.

But how can you approach the impending CIRCIA regulations and the adoption of strong frameworks as an individual MSP? The first step is to document your current security status and apply these frameworks to your organization. Having a written foundation for plans and procedures is vital. If it’s not documented, it doesn’t exist to regulatory bodies and doesn’t aid you in meeting due care, and the reasonable person mantra. The second step is to act immediately. Your organization has until 2024/2025 to get these plans and procedures into place. For assistance and education in this emerging but crucial field, Pax8 offers classes to our partners that teach exactly how to implement CIS controls into your organization and prepare you for incoming regulations.

Register for Pax8 Academy courses