Last week the White House released Version 2 of the National Cybersecurity Strategy Implementation Plan (NCSIP). The Plan, which outlines actions the federal government is taking to improve our national cybersecurity posture, includes five pillars:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships to pursue shared goals
We asked some industry thought leaders to weigh in on what MSPs should take away from this updated cybersecurity plan, and what specifically relates to their day-to-day practices and their SMB clients.
Your To-Do List From The National Cybersecurity Strategy Implementation Plan
Mike Semel, compliance expert and president of Semel Consulting, connected the dots between the general government language and some to-do items for MSPs:
Examine how these new steps will affect you and the clients you serve. “The National Cybersecurity Strategy Implementation Plan v2 talks a lot about Critical Infrastructure, a federal term for 16 sectors of the economy. MSPs are considered part of Critical Infrastructure (the Technology Sector) and support many clients in other Critical Infrastructure sectors,” Semel notes.
MSPs should ask their clients if they receive federal funds, or state funds that flow down from the federal government. “There is talk of safe harbor protection for certain areas and increased enforcement that will need to be approved by Congress. But Section 3.5.2—enforcements against government contractors under the Federal False Claims Act—is happening now,” Semel stresses. “The False Claims Act requires repayment of three times what the federal government paid for products or services. Medical doctors and dentists that accept Medicare and Medicaid payments are already being investigated for Medicare fraud because they misrepresented that their cybersecurity was HIPAA-compliant. Defense contractors have been charged with violations for misrepresenting that they implemented the cybersecurity requirements in their contracts. This will continue once CMMC takes effect.”
If you’re not subscribing to an Information Sharing and Assessment Organization (ISAO), you should be. An ISAO “makes it easy for MSPs to see a broader range of warnings and vulnerability announcements than if you try to subscribe to vendor mail lists,” Semel says. “CompTIA includes a subscription to its ISAO for all solution provider members. It’s a cheap and easy way to stay up on threats, vulnerabilities, and relevant news. CompTIA membership also includes discounts on certifications and events. Passing the independent assessment for the CompTIA Cybersecurity Trustmark can also go a long way to ensuring your MSP business is secure in a way that will stand up to scrutiny.”
If you are going to implement something other than the NIST Cybersecurity Framework (CSF), make sure it completely maps to the CSF controls—and document your work. “One thing that is notable is what isn’t mentioned,” Semel points out. “The U.S. government recognizes the NIST Cybersecurity Framework and offers benefits for its implementation that are not available using other frameworks. CIS Controls, ISO, and other frameworks are not mentioned. This should be a message to MSPs and their clients that there are many ways to do things, but following a government standard has unique rewards and protections.”
Themes To Pay Attention To
Lawrence Cruciana, founder and president of CorpInfo Tech, an MSP in Charlotte, North Carolina, and a participant in CISA’s Joint Cyber Defense Collaborative (JCDC), says three themes stand out to him:
Acknowledgment that cybersecurity is a team sport. “The NCSIP acknowledges this through the increased emphasis on the need for improved public-private partnerships,” Cruciana says. “Modern threats (and threat actors) cannot be effectively addressed by private industry or public agencies alone. It’s going to take all stakeholders to roll up their sleeves and work together.“
Cyber resilience is the new cyberdefense. “The heightened need to focus on cyber resiliency, not just defense alone, is a central theme of the NCSIP,” Cruciana notes. This includes “the need for incident response planning, improved interorganizational communication capabilities, and the need for ongoing assessment of cyber risk and cyber response capabilities.”
Together we can all learn—and improve. “The NCSIP version 2 clarifies the need to apply the lessons learned into both the legislative and strategic cyber-risk review processes,” Cruciana says. “The Plan encourages the strategic application of the lessons learned across the U.S. government and private industry to improve the overall cyber outcomes for all stakeholders.”
Zero Trust, Secure By Design
Tim Golden, CEO and founder of Compliance Scorecard, a governance-as-a-service platform for MSPs, says v2 of the Plan leans into the concepts of zero trust, secure by design, and collaboration. “We all have to work better together to build our digital borders,” he says.
Golden drilled down into some key initiatives outlined in the updated Plan and the takeaway for MSPs:
DoD Cyber Strategy (Initiative 2.1.1 & 2.1.6). “These initiatives focus on publishing and implementing an updated Department of Defense (DoD) Cyber Strategy. MSPs and IT companies working with the DoD or within the defense supply chain would need to align their cybersecurity frameworks with the updated DoD requirements,” Golden notes. “This can involve enhancing their cybersecurity measures, ensuring compliance with new DoD standards (CMMC/NIST 800-171), and adjusting services to accommodate more stringent security protocols.”
Cybersecurity in Healthcare (Initiative 1.1.4). “MSPs and IT companies serving the healthcare sector must promote and implement cybersecurity best practices as specified under this initiative. This includes deploying secure data handling processes, ensuring the privacy of patient data, and helping healthcare clients meet or exceed regulatory requirements such as HIPAA,” he says.
Cyber Supply Chain Risk Management (Initiative 1.5.5). “This initiative directly impacts MSPs and IT companies by encouraging the adoption of comprehensive supply chain risk management practices,” Golden points out. “MSPs can use and offer services that assess and mitigate supply chain risks, especially those providing cloud and infrastructure services that form the backbone of many organizations’ IT environments.”
Software Liability Framework (Initiative 3.3.5). “The exploration of a software liability framework could significantly affect how MSPs and IT companies manage risk and contractual obligations related to software failures,” Golden stresses. “This could lead to more stringent testing and documentation requirements, impacting software development and maintenance practices.”
Nothing New Under the Sun?
Kevin Beaver, an information security consultant and founder of Principle Logic, maintains that simply enforcing existing laws and holding people accountable would obviate the need for further regulation.
“The security concepts and principles businesses have needed to improve their resilience have been around for at least five decades,” Beaver says.
“James Martin’s book, Security, Accuracy, and Privacy in Computer Systems, from 1973 underscores this reality. Countless security and privacy regulations came about over the past two decades that put most businesses on alert. There’s hardly anything that’s not already regulated. There’s certainly nothing new under the sun in terms of core security concepts. Sure, the threats have evolved. There’s arguably more at stake in terms of system outages and information exposures, especially as it relates to business supply chains and critical infrastructure. But the very pillars to do security the right way haven’t changed.”
While he’s admittedly not a fan of the NCSIP, “I do see this as a growth opportunity for MSPs and channel partners. The visibility will be there since many … will be talking about how we need more ‘cybersecurity.’”
Learn, Be Aware, Act
Finally, Cruciana notes that while numerous areas of the NCSIP impact the channel, they “are less apparent to the day-to-day routines for most MSPs. The ability for MSPs to learn, adapt, and evolve from the expertise and perspective of the national cybersecurity strategies employed by the government can make a positive impact on their day-to-day.”
Semel’s message to MSPs is to take action. “The walls are closing in on MSPs and their clients who don’t adopt cybersecurity at a level that is reasonable based on today’s threats and are required by regulations.”
Overall, the impact of the NCSIP “is going to be really important for our nation as a whole,” concludes Golden, “calling the right people together and having the right voices at the table.”
