The U.S. Computer Emergency Readiness Team (US-CERT) this week announced its new cybersecurity incident notification guidelines, which will go into effect April 1, 2017. These new guidelines will affect all Federal departments and agencies, as well as state, local, tribal, and territorial government entities; Information Sharing and Analysis Organizations; and foreign, commercial, and private-sector organizations.
The Federal Information Security Modernization Act of 2014 (FISMA) defines “incident” as “an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”
Under these new guidelines, agencies must report information security incidents to the National Cybersecurity and Communications Integration Center (NCCIC)/US-CERT within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department.
When submitting incident notifications to US-CERT, agencies must provide the required information from the following steps:
- Identify the current level of impact on agency functions or services (Functional Impact).
- Identify the type of information lost, compromised, or corrupted (Information Impact).
- Estimate the scope of time and resources needed to recover from the incident (Recoverability).
- Identify when the activity was first detected.
- Identify the number of systems, records, and users affected.
- Identify the network location of the observed activity.
- Identify point of contact information for additional follow-up.
In addition, the statement notes major incidents should be reported to Congress within seven days of identification. When determining whether an incident should be classified as major, US-CERT recommends agencies reference the criteria set out in Office of Management and Budget’s (OMB) most recent guidance.
According to the statement, these guidelines help US-CERT execute its mission objectives and provide the following benefits:
- Greater quality of information–Alignment with incident reporting and handling guidance from NIST 800-61 Revision 2 to introduce functional, informational, and recoverability impact classifications, allowing US-CERT to better recognize significant incidents.
- Improved information sharing and situational awareness–Establishing a one-hour notification time frame for all incidents to improve US-CERT’s ability to understand cybersecurity events affecting the government.
- Faster incident response times–Moving cause analysis to the closing phase of the incident handling process to expedite initial notification.