The U.S. Computer Emergency Readiness Team (US-CERT) is implementing new reporting requirements beginning April 1, 2017, and just released new guidelines to help federal departments and agencies; state, local, tribal, and territorial government entities; information sharing and analysis organizations; and foreign, commercial and private-sector organizations submit incident notifications to the federal government. Any computer security incident impacting the confidentiality, integrity or availability of a federal government information system must be reported to US-CERT within one hour, using a standard set of data elements. These new guidelines may also offer some guidance for states to consider and possibly amend their state notification statutes that govern cyber events impacting employees and customers. While the list of criteria appear fairly straight-forward given the playing field, they also highlight the need to perform even a first pass, high-level form of data mapping within your organization in order to effectively respond.
According to US-CERT, any entity reporting an “incident”, which is defined in FISMA as: "an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies", must now plan to include the following information points as mandatory reporting criteria, with several additional elements outlined as optional, but recommended, if known:
- The current level of impact on agency functions or services.
- The type of information lost, compromised or corrupted.
- The scope of time and resources needed to recover from the incident.
- When the activity was first detected.
- The number of systems, records and users impacted.
- The network location of the observed activity.
- A point of contact information for additional follow-up.
By implementing the new guidelines, US-CERT hopes to increase incident recognition abilities due to expected greater quality of information yielded, improve information sharing and situational awareness, and ultimately improve speed of incident response time, by various requirements baked into the guidelines.
Also of note is that in return, agencies and business organizations should expect to receive the following information back from US-CERT within one hour of receiving the notification report:
- A tracking number for the incident
- A risk rating based on the NCCIC Cyber Incident Scoring System (NCISS)
The entirety of the guidelines are worth a read, and can be found on the US-CERT website and also include a useful downloadable PDF version of the guidelines themselves.
With the new year ahead, the KMK Law Cybersecurity & Privacy Team is available to assist you with your ESI Data Mapping, incident response planning, and overall information governance. Remember, if you prepare for disaster, you recover faster.
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Privacy Laws
- Cyber Insurance
- General Data Protection Regulation
- Data Breach
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- California Consumer Privacy Act
- Revisions to Proposed CCPA Regulations Released
- Happy New Year from the CCPA
- Can’t We All Get Along in the Cyber Sandbox?
- California's New Privacy Law is Coming - Are You Ready?
- Gearing up for National Cybersecurity Awareness Month: KMK Hosts Third Annual Cybersecurity & Privacy Seminar
- Ohio Data Protection Act - Safe Harbor for Businesses in Ohio
- Ohio’s Data Protection Act: What You Need to Know
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: What We're Learned So Far and What to Expect