Think you are good on the cybersecurity front? You’re probably not ready for SACA.  In fact, the average CMMC-2 / NIST 800-171r2 score for contractors with the DoD is only 60 out of a possible 110, so it's safe to say very few businesses are.

What is SACA?

You may have heard about the increase in ransomware attacks and cyber breaches directed at American businesses—both public and private sector. Nation-state backed cyber warfare is escalating, and with the war in Ukraine, experts predict it’s going to get even worse.

To address the need to protect U.S. businesses and the American people, the Strengthening American Cybersecurity Act (SACA) was unanimously signed into law March 2022. This new law underscores an increased focus on rapid disclosures and robust protections for the private sector in the cybersecurity space. Things are still being worked out with the final details expected to be released early 2024.

Covered and Outside Entities

There are a lot of businesses out there who think SACA only applies to government entities, utility companies, and those who do direct business with the government. Its reach is much bigger than that. It will also affect a large portion of private and commercial businesses, that are known as “outside entities”— the vendors, suppliers, and subcontractors.

The list of “covered entities” has yet to be finalized, but it involves a significant portion of the U.S. economy, including:

• Government Facilities
• Utilities
• Commercial Facilities
• Communications
• Critical Manufacturing
• Financial Services
• Food and Agriculture
• Healthcare and Public Health
• Information Technology
• Transportation Systems

If your business works with any of the vast number of “covered entities”, then you must be ready to prove you have the required cybersecurity measures in place to continue doing business with these customers. Failure to have evidence of robust security controls (CMMC-2 / NIST 800-171r2 compliance) could mean you're dropped from Approved Vendor Lists for posing too much of a security risk as defined by the Federal government Supplier Performance Risk Score

Yes, You.

Cyber criminals continue to prey on SME suppliers for these “covered entities” to gain access to their target—often multiple targets at one time—relying on SME’s consistent lack of sophisticated cybersecurity.

No matter if you're “covered” or “outside,” you’re expected to provide documented proof of the maturity of your cybersecurity control plan and ensure vetted measures are in place to protect your business, since having robust cybersecurity is no longer an option, but a legal requirement, with very real consequences if you're caught out of compliance.

Reporting Requirements and Challenges

According to SACA, companies, no matter the size, are legally required to report breaches to Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach, and have 24 hours to report the details of a ransomware payment.

The average organization takes 105 days to discover and disclose an incident after it has occurred. Even enterprises with internal resources take 40 days on average to disclose an incident, falling extremely short of the 3-day time limit. That’s challenge number one.  

Challenge number two is that on top of meeting reporting deadlines: managing your reputation.  The content requirement of a breach report includes the naming of vendors or subcontractors and specific details on in a breach originating at the supplier level.  If a breach occured due to negligence on your behalf or that of any of your suppliers, it can cause serious brand damage, that can be hard to recover from, once you get past your legal woes, that is.

Small and Medium businesses are at a disadvantage.

It's worth noting the disparity of resources between a small and large business puts small to medium size businesses at a distinct disadvantage to large corporations with teams of IT personnell,  and generous budgets for keeping technology up to date.  Savvy small business leaders should begin planning to advance their cybersecurity maturity posture now, because maturity advancement takes time and represents a significant time commitment by your team and potentially large investment in modernizing your technology infrastructure.

Procellis

The Strengthening American Cybersecurity Act is just the first step in enforcing the use of robust cybersecurity measures in order to protect our nation’s digital economy and infrastructure. More laws are on the way. Now’s the time for you to assess your vulnerabilities so you can improve your cybersecurity posture. And the best news so far is that you don’t have to do it all on your own.

As a CMMC-RPO registered company, Procellis provides cybersecurity maturity advancement consulting for businesses serious about improving their cybersecurity posture to retain a solid presence in the supply chain.  Our Security experts guide you through each phase of the engagement, which includes:

• Establishing a baseline of your current cybersecurity posture.  We document your current practices and examine them against the 110 controls in the framework. We then test existing controls to measure their efficacy.
• Executive Summary:  We provide leaders with context of the findings report to explain business implications and prioritized recommendations for improvement.
• Custom plan of action and milestones (PoAM) for maturity advancement. Security analysts lay out a strategy based short and long-term objectives for improvement on a shared platform to ensure  teams have visibility of progress and accountability of assigned action items. 
• Policy Alignment Review to ensure compliance controls are met, cataloged and indexed, with guidance on addressing gaps and processes to follow for policy change documentation.
• Technology Architecture Review. Fully catalog your on-and-off prem technology and ensure procedures and configurations meet compliance controls.
• Evidence Quality Alignment:  We evaluate the quality of existing compliance evidence against framework requirements and educate teams on best practices for collecting and documenting artifacts.
• Supplier Cybersecurity Risk Assessment: We review and reinforce your supplier evaluation criteria and provide guidance in  tracking supplier security performance.

Keeping up with these new laws and regulations requires internal SecOps expertise many businesses don't have.  Don't gamble with your business.  Call in an expert!  To learn more schedule a discovery call and tell us how we can help your team win the compliance game.