Among the cybersecurity threats that are escalating in 2022, ransomware attacks remain one of the most damaging and impactful to federal agencies and contractors. According to Verizon’s yearly Data Breach Investigation Report (DBIR), this year has seen ransomware incidents increase by 13%, which is more growth than the past 5 years combined.
The cost of ransomware is high, with many cyber actors embracing a double extortion model which extracts twice the payment from their victims – but cost is far from the biggest concern for the U.S government. Foreign adversaries – including China, North Korea, and Russia – are increasingly using ransomware against organizations in the West: sometimes, they even work together.
Government Initiatives and New Security Burdens
With all that being said, ransomware is a risk that organizations in the public and private sectors should be worried about: not only is it capable of driving businesses into bankruptcy, but it also represents a national security threat that can cripple critical infrastructure and expose classified information to nation state actors.
Fortunately, 2022 has also brought multiple initiatives across agencies and branches of the U.S government which will help curb the incidence of ransomware and keep businesses safe for years to come. Some will also impose new security burdens which government contractors will have to apply if they want to stay compliant.
In this blog post, we will share five recent developments in legislation and policy while explaining their implications for ransomware and compliance.
1. New Cyber Reporting Requirements
In the aftermath of a cyber incident or data breach, organizations have an ethical responsibility to inform their customers – sadly, that doesn’t always happen in a timely matter. But when a ransomware attack occurs against critical infrastructure, public safety is at stake, and rapid disclosure is all the more urgent.
In March, the ‘Cyber Incident Reporting for Critical Infrastructure Act of 2022’1 (CIRCIA) was passed into law – under CIRCIA, critical infrastructure companies will be required to report any substantial cybersecurity incidents within 72 hours, and any ransom payments within 24. While the precise scope of covered entities remains to be determined, it will likely include sectors like:
- Critical Manufacturing
- Financial Services
- The Defense Industrial Base (DIB)
Ultimately, the new cyber reporting requirements will help law enforcement agencies to gather intelligence on attack patterns, track the activity of advanced persistent threat (APT) groups and respond to cyber emergencies in a timely way.
1 The official source for CIRCIA is the Consolidated Appropriations Act of 2022; for readers’ convenience, the PDF linked above contains only the portions of the Act which comprise CIRCIA.
2. The Joint Ransomware Task Force
Within the text of CIRCIA, legislators proposed the formation of a ransomware task force, which was formally announced by Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly on the 20th of May.
The task force – which aims to combine cybersecurity initiatives across multiple U.S agencies – will be co-headed by the Federal Bureau of Investigation (FBI), allowing law enforcement to collaborate with CISA more effectively.
Today, government agencies suffer from entrenched barriers to information sharing that hinder cybersecurity efforts. Better collaboration will be a major boon, allowing agencies to share and react to intelligence more quickly while building attack profiles that will help businesses to defend themselves against advanced ransomware strains that evade popular detection methods.
3. CMMC 2.0 and Updated CMMC Timeline
Following the release of Cybersecurity Maturity Model Certification (CMMC) 2.0, the Department of Defense (DoD) is now working with federal policymakers on an implementation timeline that could see CMMC enforced on DoD contracts by May of 2023.
CMMC 2.0 seeks to protect controlled unclassified information (CUI) by requiring federal contractors to undergo third-party assessment for cybersecurity compliance before they can be eligible for most Defense contracts. For less sensitive “Level 1” contracts, the DoD will accept self-assessment – for more sensitive “Level 3” contracts, organizations will need a more official government assessment.
By enforcing cybersecurity controls proportional to the sensitivity of each contract, CMMC 2.0 will not only encourage better security throughout the DIB – it will also ensure that the most sensitive CUI is only shared with contractors who are ready to defend it against a variety of threats, including ransomware.
4. Zero-Trust Legislation and Implementation
In 2021, the ‘Executive Order on Improving the Nation’s Cybersecurity’ instructed federal agencies to adopt zero-trust security models to defend their IT infrastructure. Shortly afterwards, CISA and the Office of Management and Budget issued documents outlining a zero-trust maturity model (ZTMM) to help agencies comply with the executive order.
The road ahead is difficult, especially with many federal organizations still relying on outdated, legacy IT architecture. But zero-trust adoption is well underway, and – difficulties notwithstanding – 6 out of 10 federal IT officials believe their agencies will be able to meet the challenge. More than 75% say they already have some form of zero-trust security policy in place.
From the perspective of reducing ransomware attacks, this is good news: zero-trust architecture won’t render organizations invulnerable to cyberattacks, but it will bring about significant transformation by forcing organizations to continually validate user identities, monitor apps, and accelerate modernization.
Most importantly – with zero-trust in place – it won’t be enough for ransomware actors to “get past the door”: they will be faced with multiple barriers to lateral movement and penetration that will halt many in their tracks.
5. Updates to NIST’s Cybersecurity Framework (CSF)
The National Institute for Standards and Technology (NIST) is updating its cybersecurity framework (CSF), a set of standards that have guided cybersecurity efforts in both the public and private sectors since it was first issued in 2014. In February of this year, NIST requested comments for an upcoming update to CSF, prompting an outpouring of responses from industry experts.
Recently, DoD sources have stated that they want better risk-management guidance in the next version of the CSF framework, to align it with another NIST special publication (SP), 800-30, ‘Guide for Conducting Risk Assessments’. Aligning the two NIST resources would help organizations who are currently following CSF to develop a better understanding of risk and risk factors that lead to data breaches, ransomware attacks, and more.
Whether NIST implements this advice or not, an update to CSF could not come at a better time – cyber tactics have developed rapidly since the last update was released in 2018, and organizations are in need of guidance. According to the agency, a majority of respondents to its request for comment stated they find CSF to be a “useful model for organizations seeking to identify, assess, address, and manage cybersecurity risk” – it can only remain useful as long as it remains up to date with leading risk sources.
Cyber Expertise to Help You Stay Compliant
Compliance with federal cybersecurity standards and laws are non-negotiable for any businesses in the federal space, and a very good idea for businesses outside it. But the cyber landscape changes, protecting revenue and customers demands a steadily rising cybersecurity baseline that can be hard to meet without guidance.
Securicon helps your business to comply with Federal and regulatory requirements through program and risk assessments. With a team comprised of veterans from the U.S security community – including DoD, DHS, and the U.S Cyber Commands – we are equipped to provide organizations with gap analysis, compliance consulting, assessment support, and audit preparation. To learn more, contact us today.