IN THE WAKE OF COLONIAL PIPELINE, FEDERAL INFRASTRUCTURE & CONTRACTING RULES ARE UNDER SCRUTINY

US officials have been mulling new cybersecurity regulations for various types of businesses in the wake of the Solarwinds disaster and the recent ransomware incident at fuel pipeline operator Colonial Pipeline. Although officials initially mused that the attack was from sophisticated nation-state threat actors, it was ultimately determined that the culprits were actually an unaffiliated major ransomware gang, DarkSide. Investigations showed that one of the reasons why a general ransomware gang was able to lock down this infrastructure linchpin was sloppy cybersecurity. That led to officials at every level of government becoming concerned about the power of ransomware to take down similar targets – a possibility that was neatly exemplified by this week’s attack at international meat behemoth JBS.

The attack at JBS marks the second recent attack on under-the-radar yet critical infrastructure targets in as many months. The company announced on Monday that a cyberattack had severely impacted operations at its subsidiary arms in the US and Australia. Experts estimate that 1/3 of US beef production is served by JBS. Early reports are pointing the finger of blame at nation-state threat actors, but that should be taken with a grain of salt – early reports said the same thing about Colonial Pipeline and it turned out not to be true. On Tuesday afternoon, White House spokeswoman Karine Jean-Pierre said the United States has contacted Russia’s government about the matter and that the FBI is investigating.

Infrastructure is More Than Bridges and Roads

The shockwaves that followed in the wake of Colonial Pipeline spurred the US federal government to work on several levels in an attempt to play catchup after years of lax cybersecurity oversight. That lack of scrutiny had led to gaping holes in the safety net for critical US infrastructure and supply chain service providers, a circumstance that cybercriminals are more than willing to exploit. Persistent cybersecurity vulnerabilities in myriad industries have left the White House and Congress scrambling as citizens demand answers. The federal government has just begun taking steps to address the problem but it’s facing a long road to security improvements that will assure voters that infrastructure is protected from increasing cyberattack danger.

In an Executive Order signed on May 12th, President Biden laid down an initial framework for response. The order declares that “It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.” Included in the Executive Order is a directive for top officials at the Office of Management and Budget (OMB), the Department of Defense (DOD), the Department of Homeland Security (DHS), along with the US Attorney General and the Director of National Intelligence to review cybersecurity rules in the Federal Acquisition Regulation (FAR) bible and the Defense Federal Acquisition Regulation Supplement (FARS) to recommend changes to contract requirements and language for contracting with IT and OT service providers to ensure compliance with cybersecurity best practices. Those changes will then enter the federal rulemaking process for finalization.

Also included in the Executive Order, the President has instructed DHS and OMB that they have 120 days to institute a method by which federal and infrastructure service providers can quickly and reliably share data with agencies including the Cybersecurity Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) about threats, incidents and risks that present danger to infrastructure targets. In the Colonial Pipeline incident, the FBI and CISA were not informed by the company until well afterward. The Order goes on to lay down specifications for different requirements based on the work that the contractor does. It also includes calls for oversight into software development, new standards and practices to be developed by the National Institute of Standards in Technology (NIST), IoT consumer labeling guidelines and a host of smaller tech initiatives.

A notable section of the report did not get as much airtime as the splashier regulatory actions but may hold special relevance for MSPs and their clients who serve the federal government as insight into what upcoming rule changes may look like. The Executive Order lays out a new federal approach to data handling and cybersecurity, influenced by its recent Microsoft contretemps, instructing all agencies to update their existing cybersecurity plans to prioritize resources for the adoption of more security automation and universal use of cloud technology. The Order also directs every agency to develop a plan to implement zero trust architecture throughout the federal establishment. This was followed up with a mandate for CISA and the General Services Administration (GSA) to develop an updated federal cloud-security strategy that operates on zero trust principles.

The Impact on Businesses Will Be Profound

As the US federal government begins rolling out these sweeping changes, looking at the end goals of the initiatives can help organizations understand what federal authorities are considering in terms of cybercrime risk, what federal cybersecurity will look like going forward and how these new regulations combat challenges like social engineering that can complicate security. After rulemaking finishes, the requirements will give federal contractors and service providers an idea of what to expect in future project requirements and through the bidding process, to help them ensure that their business is compliant with stricter information security policy before they start putting together a bid. In its final form, this Order also gives everyone in tech a glimpse into what the government’s cybersecurity experts are going to be scrutinizing moving forward in fields like automation, regulation and even ransomware policy.

This spate of new regulations and requirements may impact your customers and your business in many ways. While the wake-up call that the US federal government received from recent cybersecurity disasters will bring much-needed updates to the way that federal agencies handle information, it also carries implications for the SMBs who assist in that process. New regulations about the security features needed to qualify software and apps as eligible for federal purchasing may be something that your clients have to deal with as well, especially since many states will just their guidelines to match. Plus, this creates opportunities for SMBs that are prepared in advance to demonstrate that they can do the job well by already maintaining compliance to the new guidelines to move into a sector where they may not have been able to previously compete. All of these circumstances are poised to provide new revenue streams for savvy MSPs as the cybercrime-as-a-service economy meets federal purchasing power.

Start laying the groundwork for any of your clients that may be impacted by new federal technology rules by making sure that they’re on track to provide first-class information security no matter who they’re serving. Contact us today to get the tools that organizations need to prevent unauthorized access to systems and data in place fast to ensure compliance in diverse industries.