News, Trends, and Insights for IT & Managed Services Providers
News, Trends, and Insights for IT & Managed Services Providers

It’s been a busy week on the legislation front.

Under review in Congress, A new bill was introduced to create a pilot program that would extend the U.S. Cybersecurity and Infrastructure Security Agency’s network monitoring services for federal agencies to state and local governments.   It would run over three years, and those governments could enroll in CISA’s Continuous Diagnostics and Mitigation program, which monitors federal agencies’ networks in close to real-time and gives officials dashboards showing vulnerabilities to be addressed. 

The same bill also would codify and expand the Homeland Security Department’s Continuous Diagnostics and Mitigation program that helps federal agencies protect their networks. 

Those same co-sponsors of the bill also introduced the Legacy IT Reduction Act of 2022 to make the modernization of federal legacy IT systems mandatory. They would require agencies to identify and create an inventory of all legacy IT systems.   Agencies would also be required to include comprehensive information in their inventories about any legacy IT systems currently in use, including contractor and ownership information, operation and maintenance costs, and how the systems support mission objectives. 

A third bill was explicitly introduced around cybersecurity at the Department of Veterans Affairs. It would require the secretary of Veterans Affairs to obtain an independent cybersecurity assessment of VA information systems and submit a plan to address weaknesses to Congress. 

And reviewing past legislation, the Strengthening American Cybersecurity Act of 2022 has some interesting language.   Title II defines explicitly a managed services provider by name as “an entity that delivers services, such as network, application, infrastructure, or security services, via ongoing and regular support and active administration on the premises of a customer, in the data center of the entity (such as hosting), or a third-party data center.” 

The law requires that MSPs report any breach of their operations or systems within 72 hours or within 24 hours if a ransomware payment was made. It also codifies a federal vulnerability disclosure program in which vulnerability reporters will coordinate with federal agencies to “share information in a consistent, automated, and machine-readable manner.”

Finally, in investigations, the Senate released an investigation of the FBI into three case studies of ransomware attacks against U.S. companies within the past five years. All three companies interviewed for the investigation reported the attacks to the FBI at the time, but only two pursued assistance.  The findings point out that both companies that asked for help for the FBI response are lacking.     The report notes: “Both companies also indicated they did not receive advice on best practices for responding to a ransomware attack or other useful guidance from the Federal Government.” 

Why do we care?

I just wanted to note that the government is doing its SOC for itself… Sure, it’s not REALLY a SOC, although it looks like one when I squint a bit.    

The more significant point is the specific actions being taken to address cybersecurity.    Besides making that service available to state, local and tribal governments, aka the small businesses of government, a push to address older IT systems.

The FBI heat will cause some reevaluation of response.    I’d expect that naturally, as law enforcement has shifted their response in general, this is a late report.  That said, expect more proactive protections to come.

Oh, and that specific language for providers – so, are you digging into this law?     Sure, it may not apply to your industry … but with actual legal definitions, providers better know what the government calls them.

Choose your upgrade:

Get the full benefits of Business of Tech Plus

Insider Access

$12/month

Perfect for MSPs and ITSPs that want full interviews, early access, and ad-free listening

  • Programmatic Ad-free private podcast feedSame show, little interruptions
  • Channel Chatter previews1–2 topics with light insights
  • Early access to interview episodesHear it days before public release
  • Monthly Insider BriefTighter analysis you can share internally
  • Extra audio segmentsCut interviews, behind-the-scenes commentary, quick competitive notes
  • Become an Insider for $12/month

    Leadership Access

    $149/month

    Perfect for MSPs and Vendors that run a team and need the extended tactics, executive summaries, and weekly alignment brief

  • All Insider Access benefits plus . . .
  • Invite your teamIncludes access for 5 team members with option to add more
  • Vendor Strategy BriefsThe entire library, plus new analysis every month
  • Channel ChatterAll topics, full insights, complete vendor discussion + sentiment list
  • Quarterly State of the Channel Briefing
  • Monthly AMA submission priorityAsk Dave direct questions, and skip the line
  • Get the Leadership Edge for $149/month

    Vendor Partner

    $500/month

    Perfect for channel companies or vendors looking to deepen their engagement with the show.

  • All Leadership Access benefits plus . . .
  • Get highlighted as a show sponsor You'll get placement in the show notes, throughout the website, and on our dedicated sponsors page.
  • Enjoy regular shout outs You'll be featured in a rotating format during the show
  • Become a show sponsor for $500/month

    Search all stories