The cybersecurity landscape is shifting beneath our feet, and MSPs are caught in the middle of a significant transformation. As the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) inches closer to implementation, the industry faces both challenges and opportunities in adapting to new reporting requirements.
Recent developments have only added to the complexity. In October, A coalition of critical infrastructure organizations voiced concerns in a letter to CISA director Jen Easterly about potential excessive reporting requirements. Meanwhile, a landmark Supreme Court decision has fundamentally altered how federal agencies can interpret and enforce regulations.
“CIRCIA is coming. How it comes we don’t know, but we can be prepared,” said Lawrence Cruciana, president of Corporate Information Technologies, at ChannelCon 2024. He captured the current sentiment among MSP leaders trying to navigate these changes.
Understanding the New Reality
CIRCIA’s proposed rule, expected to be finalized in early 2025, introduces stringent reporting time frames: 72 hours for most cyber incidents and just 24 hours when there’s a ransom demand.
But time isn’t the only factor MSPs need to consider.
The scope of what constitutes a “covered incident” ranges from substantial losses to operational impacts, unauthorized access and third-party compromises. For MSPs serving critical infrastructure clients, understanding these definitions becomes crucial to compliance.
Small and medium-sized MSPs might wonder if these requirements apply to them. Unfortunately, the answer isn’t straightforward. It depends on various factors defined by Small Business Administration (SBA) standards, including employee count, annual receipts and industry-specific criteria. The key is to follow the risk: If your clients fall under critical infrastructure categories, you’re likely to be affected regardless of your size.
The “Chevron Doctrine” adds another layer of complexity.
The Supreme Court's June 2024 decision to overturn the Chevron doctrine in Loper Bright Enterprises v. Raimondo diminished Federal agencies’ authority to “power to persuade” rather than “power to control” when interpreting regulations. That means it might be less clear what rules an MSP’s actions fall under, and whether an MSP is compliant with the new rules.
“We need to be very clear in our agreements about the choice of law, choice of venue and choice of interpretation,” Cruciana said. Such clarity becomes especially important when dealing with multiple regulatory frameworks.
Some Protections for MSPs
Despite the new obligations, CIRCIA isn’t all stick and no carrot. The Act includes significant protections for reporting entities that should ease some concerns about information sharing. For example, reported information can’t be used in judicial proceedings, is exempt from most FOIA requests and requires broad de-identification of data.
This protected reporting environment represents a shift in how the government approaches cybersecurity collaboration with the private sector. It’s designed to foster honest, detailed reporting without fear of legal repercussions or competitive disadvantages.
Still, understanding your exposure is critical. “Today, take action to understand your clients, and understand how the risks they have apply to you.” That means sit-down client conversations, clear documentation, clarity on existing requirements and legal consultation, Cruciana advised. “I’ve personally been in situations where I assumed a client or vendor would make the required reports. They didn’t, and it left me in an exposed position.”
Resources for the Journey
As the industry awaits the final rule, MSPs should focus on building flexible, scalable reporting capabilities. This means reviewing incident response plans, evaluating log retention capabilities and ensuring staff are trained on proper incident classification and reporting procedures.
The Federal Multilateral Information Sharing Agreement (MISA) offers some relief by allowing for reporting exceptions when similar requirements are met under other agency regulations. This effort to harmonize shows the government’s awareness of the potential burden on businesses and its attempt to streamline compliance.
For MSPs looking to stay ahead of these changes, a few resources prove invaluable:
- CISA’s CIRCIA information hub provides regular updates and guidance on implementation
- The SBA’s size standards tool helps determine applicability
- GTIA ISAO offers threat feeds and industry-specific guidance for MSPs
- The GTIA Cybersecurity Trustmark includes a section on incident response planning to help with compliance
CIRCIA will take time to understand, implement and communicate. The key is starting now, building strong foundations and maintaining flexibility as the final requirements take shape.
The implementation of CIRCIA marks not just a new compliance requirement, but a shift in how MSPs approach cyber incident reporting and client relationships. Those who prepare now will find themselves better positioned to navigate this new era of cybersecurity regulation.
What’s the value of the GTIA Information Sharing and Analysis Organization (ISAO)?
Find out.
