It’s been a busy week on the legislation front.
Under review in Congress, A new bill was introduced to create a pilot program that would extend the U.S. Cybersecurity and Infrastructure Security Agency’s network monitoring services for federal agencies to state and local governments. It would run over three years, and those governments could enroll in CISA’s Continuous Diagnostics and Mitigation program, which monitors federal agencies’ networks in close to real-time and gives officials dashboards showing vulnerabilities to be addressed.
Those same co-sponsors of the bill also introduced the Legacy IT Reduction Act of 2022 to make the modernization of federal legacy IT systems mandatory. They would require agencies to identify and create an inventory of all legacy IT systems. Agencies would also be required to include comprehensive information in their inventories about any legacy IT systems currently in use, including contractor and ownership information, operation and maintenance costs, and how the systems support mission objectives.
A third bill was explicitly introduced around cybersecurity at the Department of Veterans Affairs. It would require the secretary of Veterans Affairs to obtain an independent cybersecurity assessment of VA information systems and submit a plan to address weaknesses to Congress.
And reviewing past legislation, the Strengthening American Cybersecurity Act of 2022 has some interesting language. Title II defines explicitly a managed services provider by name as “an entity that delivers services, such as network, application, infrastructure, or security services, via ongoing and regular support and active administration on the premises of a customer, in the data center of the entity (such as hosting), or a third-party data center.”
The law requires that MSPs report any breach of their operations or systems within 72 hours or within 24 hours if a ransomware payment was made. It also codifies a federal vulnerability disclosure program in which vulnerability reporters will coordinate with federal agencies to “share information in a consistent, automated, and machine-readable manner.”
Finally, in investigations, the Senate released an investigation of the FBI into three case studies of ransomware attacks against U.S. companies within the past five years. All three companies interviewed for the investigation reported the attacks to the FBI at the time, but only two pursued assistance. The findings point out that both companies that asked for help for the FBI response are lacking. The report notes: “Both companies also indicated they did not receive advice on best practices for responding to a ransomware attack or other useful guidance from the Federal Government.”
Why do we care?
I just wanted to note that the government is doing its SOC for itself… Sure, it’s not REALLY a SOC, although it looks like one when I squint a bit.
The more significant point is the specific actions being taken to address cybersecurity. Besides making that service available to state, local and tribal governments, aka the small businesses of government, a push to address older IT systems.
The FBI heat will cause some reevaluation of response. I’d expect that naturally, as law enforcement has shifted their response in general, this is a late report. That said, expect more proactive protections to come.
Oh, and that specific language for providers – so, are you digging into this law? Sure, it may not apply to your industry … but with actual legal definitions, providers better know what the government calls them.
