Although almost nothing seems to get bipartisan support anymore, cybersecurity may be an exception to the rule. On March 1 2022, the Senate unanimously approved the Strengthening American Cybersecurity Act. This bill follows President Biden's executive order on cybersecurity last year (E.O. 14028). On March 15, the President signed the new bill into law.
This law contains three separate acts. Two of them stipulate new reporting and modernization requirements for covered bodies. They are the Cyber Incident Reporting for Critical Infrastructure Act of 2022, and the Federal Information Security Modernization Act of 2022 respectively. The third act—the Federal Secure Cloud Improvement and Jobs Act of 2022—makes the shift toward cloud-based technologies easier and quicker for federal agencies.
The rule-making process is likely to take another two years to finish. So it’s still unclear precisely who is impacted by the Strengthening American Cybersecurity Act. For the moment, the law covers federal agencies and operators of critical infrastructure. However, the Cybersecurity and Infrastructure Agency (CISA) plays a prominent role in enforcing the bill's requirements. And it has yet to define which types of organizations fall under the critical infrastructure category.
If CISA applies the law broadly, tens of thousands of organizations will be forced to comply. In theory, this could affect any organization in the 16 critical sectors, including finance and healthcare. Regardless, there are two crucial areas within the Strengthening American Cybersecurity Act every organization should plan for.
Last year’s Biden executive order on cybersecurity 14028 applies to all federal agencies and any companies that do business with them. The new Act may also soon apply to these 5,000+ vendors as guidelines are updated. Furthermore, CISA often refers to the National Institute of Standards and Technology (NIST) frameworks to specify requirements. If a company’s Written Information Security Policies (WISPs) are underscored by NIST, they must follow the CISA Strengthening American Cybersecurity Act guidelines. If you don’t, you’ll fail audits and potentially face litigation.
Among the most stringent compliance requirements in the new Act is the focus on making cyberattack reporting faster and more detailed. Covered organizations must report cyberattacks to CISA within 72 hours. Covered entities that pay a ransom must notify CISA within 24 hours.
Reports also need to be highly detailed. Organizations impacted by a cyberattack must tell CISA how an incident happened and what their defenses were like at the time of attack. They must also explain the kinds of data threat actors accessed and supply all information they have about their hackers, including contact details. Ransomware victims who pay must describe how payments happened. This includes the sum paid and how payment occurred, for example—which digital currency was used. (See How to Stop Ransomware: See Breach Prevention in Action vs. the Cobalt Strike Backdoor for useful tips.)
Meeting these new requirements will be challenging for most organizations. According to the ISACA's 2020 "State of Cybersecurity 2020" report, as little as 16 percent of organizations correctly report cybercrimes today. It doesn't help that organizations rarely have much insight into how and when they were breached. According to IBM research, it typically takes organizations around nine months to even find a breach.
Unfortunately, poor visibility into cyberattack chains may soon put companies at significant legal risk. Organizations who report incidents to CISA will receive legal protection, including immunity from lawsuits based on what they report to CISA. But covered entities who do not report attacks risk serious legal consequences. As noted above, firms with WISPs that use NIST/CISA frameworks may also be at risk for litigation. According to the most recent version of the bill, CISA will be able to subpoena information from organizations. If a subpoena is not complied with, CISA can refer cases directly to the Justice Department for prosecution.
This bill shows the federal government wants a better picture of how attacks happen and what occurs afterward. But equally important is stopping attacks in the first place. Contained within the law is the Federal Information Security Modernization Act of 2022. It continues a move towards proactive security outlined in the Biden executive order on cybersecurity from 2021.
The Act stipulates that covered organizations enhance mobile security, implement NIST zero-trust architecture (ZTA) programs, and gather quantitative reports. (See Why Lean Security Teams Should Deploy A Zero Trust Defensive Endpoint Strategy for more.)
These requirements will improve security within the US. But most organizations are still early in their efforts to implement such controls. Only 30 percent of companies have started to roll out zero-trust efforts so far.
There’s a lot of ground between the new bill’s requirements and today's operational reality. So, any organization with WISPs that could be impacted by NIST/CISA updates, or is at risk of becoming a covered entity should act fast. Reporting processes must be deployed and tested to ensure the rapid response times CISA requires. In a changing compliance environment, bloated security stacks also need to be reassessed. And—where possible—lean, effective solutions implemented instead.
Visibility into how attacks happen will become a critical priority. The federal government will expect covered organizations to know exactly what’s happening across their IT estates. Executive Order 14028 already requires much of this. It’s reflected in new NIST framework updates such as the requirements for improved security technologies to combat ransomware. This means accurately spotting and tracking advanced threats, including signature-based and fileless or in-memory polymorphic attacks.
These now account for 94 percent of malware attacks that lead to ransomware. But antivirus (AV), endpoint protection platforms (EPP), and endpoint detection and response (EDR/XDR/MDR) don’t stop these zero-day advanced persistent threats.
Uniquely in the market, Morphisec’s revolutionary Moving Target Defense technology stops advanced, fileless, and in-memory attacks. Integrated with a lean security stack, Morphisec has a proven record in different business sectors, including operational technology environments. Combined with OS native Windows Defender AV and Defender for Endpoint (Plan 1 and 2), Morphisec also provides a single pane of glass viewpoint into an organization's attack surface. This capability offers organizations an enhanced level of situational awareness.
There are numerous details still to be determined in the Strengthening American Cybersecurity Act. Regardless, it's important to remember that federal cybersecurity requirements (for example, NIST compliance) often creep into the private sector. So it’s prudent to assume coverage is more likely than not. Most importantly, these new regulations offer excellent best practice guidelines to prevent costly ransomware attacks.