The U.S. Computer Emergency Readiness Team (US-CERT) is implementing new reporting requirements beginning April 1, 2017, and just released new guidelines to help federal departments and agencies; state, local, tribal, and territorial government entities; information sharing and analysis organizations; and foreign, commercial and private-sector organizations submit incident notifications to the federal government. Any computer security incident impacting the confidentiality, integrity or availability of a federal government information system must be reported to US-CERT within one hour, using a standard set of data elements. These new guidelines may also offer some guidance for states to consider and possibly amend their state notification statutes that govern cyber events impacting employees and customers. While the list of criteria appear fairly straight-forward given the playing field, they also highlight the need to perform even a first pass, high-level form of data mapping within your organization in order to effectively respond.
According to US-CERT, any entity reporting an “incident”, which is defined in FISMA as: "an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies", must now plan to include the following information points as mandatory reporting criteria, with several additional elements outlined as optional, but recommended, if known:
- The current level of impact on agency functions or services.
- The type of information lost, compromised or corrupted.
- The scope of time and resources needed to recover from the incident.
- When the activity was first detected.
- The number of systems, records and users impacted.
- The network location of the observed activity.
- A point of contact information for additional follow-up.
By implementing the new guidelines, US-CERT hopes to increase incident recognition abilities due to expected greater quality of information yielded, improve information sharing and situational awareness, and ultimately improve speed of incident response time, by various requirements baked into the guidelines.
Also of note is that in return, agencies and business organizations should expect to receive the following information back from US-CERT within one hour of receiving the notification report:
- A tracking number for the incident
- A risk rating based on the NCCIC Cyber Incident Scoring System (NCISS)
The entirety of the guidelines are worth a read, and can be found on the US-CERT website and also include a useful downloadable PDF version of the guidelines themselves.
With the new year ahead, the KMK Law Cybersecurity & Privacy Team is available to assist you with your ESI Data Mapping, incident response planning, and overall information governance. Remember, if you prepare for disaster, you recover faster.
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Data Breach
- Privacy Laws
- Class Action Litigation
- General Data Protection Regulation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Cyber Insurance
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know
- SEC Issues Guidance on Cybersecurity Disclosures
- New D.C. Circuit Ruling Finds Substantial Risk of Harm Inherent to Data Breach
- Target Class Action Settlement Temporarily Upended
- Spokeo Continues to Divide the Lower Courts in Cybersecurity Litigation
- Cyber Breach Incident Notification Guidelines Ahead
- CyberSecurity News: Spokeo, Galaria and Braitberg
- Privacy Class Action Dismissed Under Spokeo