The U.S. Computer Emergency Readiness Team (US-CERT) is implementing new reporting requirements beginning April 1, 2017, and just released new guidelines to help federal departments and agencies; state, local, tribal, and territorial government entities; information sharing and analysis organizations; and foreign, commercial and private-sector organizations submit incident notifications.
An "incident" is defined by the Federal Information Security Modernization Act of 2014 as "an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."
Any computer security incident impacting the confidentiality, integrity or availability of a federal government information system must be reported to US-CERT within one hour, using a standard set of data elements.
When notifying US-CERT, agencies and organizations should be sure to include:
- The current level of impact on agency functions or services.
- The type of information lost, compromised or corrupted.
- The scope of time and resources needed to recover from the incident.
- When the activity was first detected.
- The number of systems, records and users impacted.
- The network location of the observed activity.
- A point of contact information for additional follow-up.
If known, identify the attack vector(s) that led to the incident and provide any indicators of compromise, including signatures or detection measures developed in relationship to the incident, as well as any mitigation activities undertaken in response to the incident.
A complete list of mandates and deliverables can be viewed on the US-CERT websiteand questions can be emailed to federal@us-cert.gov.
