Cyber Breach Incident Notification Guidelines Ahead

Disaster Recovery ImageThe U.S. Computer Emergency Readiness Team (US-CERT) is implementing new reporting requirements beginning April 1, 2017, and just released new guidelines to help federal departments and agencies; state, local, tribal, and territorial government entities; information sharing and analysis organizations; and foreign, commercial and private-sector organizations submit incident notifications to the federal government.  Any computer security incident impacting the confidentiality, integrity or availability of a federal government information system must be reported to US-CERT within one hour, using a standard set of data elements.  These new guidelines may also offer some guidance for states to consider and possibly amend their state notification statutes that govern cyber events impacting employees and customers. While the list of criteria appear fairly straight-forward given the playing field, they also highlight the need to perform even a first pass, high-level form of data mapping within your organization in order to effectively respond.

According to US-CERT, any entity reporting an “incident”, which is defined in FISMA as: "an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies", must now plan to include the following information points as mandatory reporting criteria, with several additional elements outlined as optional, but recommended, if known:

  • The current level of impact on agency functions or services.
  • The type of information lost, compromised or corrupted.
  • The scope of time and resources needed to recover from the incident.
  • When the activity was first detected.
  • The number of systems, records and users impacted.
  • The network location of the observed activity.
  • A point of contact information for additional follow-up.

By implementing the new guidelines, US-CERT hopes to increase incident recognition abilities due to expected greater quality of information yielded, improve information sharing and situational awareness, and ultimately improve speed of incident response time, by various requirements baked into the guidelines.  

Also of note is that in return, agencies and business organizations should expect to receive the following information back from US-CERT within one hour of receiving the notification report:

  • A tracking number for the incident
  • A risk rating based on the NCCIC Cyber Incident Scoring System (NCISS)

The entirety of the guidelines are worth a read, and can be found on the US-CERT website and also include a useful downloadable PDF version of the guidelines themselves.

With the new year ahead, the KMK Law Cybersecurity & Privacy Team is available to assist you with your ESI Data Mapping, incident response planning, and overall information governance. Remember, if you prepare for disaster, you recover faster.


Jump to Page