The Cybersecurity and Infrastructure Security Agency (CISA) has released a 447-page draft of a new rulefor reporting cyber incidents in critical infrastructure organizations. The rule, mandated by the Cyber Incident Reporting for Critical Infrastructure Act, requires organizations to report incidents within specific timeframes. The goal is to improve incident tracking and response and identify vulnerabilities in critical infrastructure. The public can provide feedback on the draft before it becomes official. Before you tune out, thinking these federal-size pieces of news are only big companies, according to CISA, nearly 311,000 small entities would be covered by proposed cyberattack reporting rules.
The Federal Risk Authorization and Management Program (FedRAMP) is undergoing an overhaul with a new roadmap that outlines goals, initiatives, and near-term priorities. The program aims to bring in automation, test reciprocity, and speed up reviews. The roadmap includes pilots focused on agile software delivery, machine-readable authorization packages, low-review processes with trusted partners, and technology platform migration. The program also plans to hire a new FedRAMP director. The goal is to address longstanding issues, increase efficiency, and get more FedRAMP-authorized products into the federal marketplace.
The Department of Defense (DoD) is seeking to enhance the cyber defenses of its vendors by implementing a new Defense Industrial Base Cyber Strategy. The strategy aims to provide a more centralized and cohesive approach to cyber protection services, expand the pool of companies eligible to participate and improve access to existing cyber protection services. The strategy does not provide detailed information on how it will interact with the impending Cybersecurity Maturity Model Certification (CMMC) program. Still, it promises to clarify existing language and develop forums for ongoing discussions with industry stakeholders.
The Pentagon is developing a shared virtual cloud-based workspace for small contractors to enhance their cybersecurity. The goal is to pilot the program with up to 75 small businesses to assess data security in a cloud environment. If successful, the program could be scaled and offered to more companies.
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released a set of best cybersecurity practices for managed services providers (MSPs). The agencies emphasize the need for more visibility into MSPs’ IT operations and recommend that organizations select MSPs willing to provide such visibility. They also advise organizations to consider agreements for notification and recovery in case of security breaches, adopt identity access management tools, and not rely on a single provider of managed security services. MSPs are urged to demonstrate value and set expectations upfront to minimize blame in the event of a cybersecurity incident.
Why do we care?
I want to highlight my interview recently with Mike Semel, who warns that many vendors serving the MSP community are not ready for FedRAMP and CMMC 2.0. Ultimately, this is the power of the purse to drive change in the industry. While I don’t expect most providers to pursue this work, a class of providers will have prepared for it and leverage those capabilities for their commercial clients. Don’t say I didn’t warn you.