Cyber Incident Reporting: A Reprieve for Government MSSPs?
by D. Howard Kass • Dec 10, 2021
Political discord popped up again in Congress — this time in the area of crucial cybersecurity legislation. The upshot: Bipartisan support to require critical infrastructure operators and owners to report cyber incidents in three days (or ransom payments in one day) was left out of a compromise version of the $768 billion National Defense Authorization Act (NDAA) just approved by the House, SC Media notes.
The cyber incident reporting measure would have also directed federal contractors–including MSSPs, MSPs and managed detection and response (MDR) service providers–to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of making a ransom payment. Many businesses, nonprofits, and state and local governments would have been included in that rider.
That last proviso reportedly bothered Sen. Rick Scott (R-FL), who wanted to pare the number of organizations affected by the reporting requirement. “Senator Scott fought to ensure the scope of this new cybersecurity incident reporting law would be limited to critical infrastructure and not burden America’s small businesses,” McKinley Lewis, the communications director for Scott, told The Hill. Lewis said Scott was surprised the amendment with his proposed change was not included in the bill.
The excluded cyber reporting segment of the NDAA sprung from an amendment proposed by Sens. Gary Peters (D-MI), who chairs the Homeland Security and Governmental Affairs Committee, Mark Warner (D-VA), Rob Portman (R-OH) and Susan Collins (R-ME). Its foundation is Peters’ earlier Cyber Incident Reporting Act and separate Federal Information Security Modernization Act of 2021 that would require critical public and private organizations to notify CISA within 24 hours of discovering the system compromise.
In early October, the Department of Justice (DOJ) launched a new action to slap hefty fines on government contractors, including MSSPs and MSPs, that fail to report a cybersecurity incident.
Peters was unhappy with the elimination of the incident reporting clause. The nation needs “urgent action” to combat cyber attacks, he said. “I’ll continue leading efforts to enact these critical, commonsense reforms and ensure our nation has a comprehensive strategy to fight back against cyber criminals and foreign adversaries who continue targeting our networks.”
Other clauses that didn’t make the cut include a General Services Administration housed civilian reserve pilot program as a side talent pool for the Departments of Defense (DOD) and Homeland Security in cyber emergencies, and a cyber counseling certification program with the Small Business Administration to train and certify counselors at small business development centers.
Several other cybersecurity-related issues that did get in the door include directives for the DOD to assess technology supply chain risks, evaluate the cyber capabilities of adversaries, review the operations of information networks, industrial control systems, weapons systems, and platforms, and audit of its cyber workforce requirements.
The bill next heads to the Senate, where it is expected to pass and land on President Biden’s desk for his approval.