What is a major cyber incident? Seems like a simple enough question to answer. But the Office of Management and Budget has been refining the definition for the better part of a decade.
It first defined a cyber incident in a 2007 memo, defining a category 1 event where a hacker gets access to systems, data or a breach of physical security controls.
In 2015, OMB honed the definition as part of the Federal Information Security Management Act (FISMA) guidance to agencies, meeting the requirement Congress laid out in the 2014 FISMA updates law.
But for whatever reason, that year-old definition just wasn’t quite perfect enough. So now the administration took another swing at the definition of a major cyber incident on Nov. 8 in the 2017 FISMA guidance to agencies.
Insight by Red Hat: Learn how organizations are working to meet their missions in real-time by downloading this exclusive ebook.
OMB says a major cyber incident is one that “is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
It’s pulled from the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT) Cyber Incident Severity Schema, which details level 3 (orange) or higher.
OMB also says a major incident would include an attack where personal information of 100,000 people or more is taken, modified, deleted or otherwise harmed, or personal data that would impact national security, public safety, public health or civil liberties.
Alma Cole, vice president of cybersecurity at Robbins Gioia and a former DHS cyber executive, said OMB is setting the bar fairly high for agencies to report and experience a “major cyber incident.”
“Even the infamous Office of Personnel Management breach has yet to result in ‘demonstrable harm’ to the United States, although foreign relations were definitely affected,” Cole said. “As with previous years, the guidance reaffirms that agencies are ultimately responsible for assessing the impact level of each incident. I am very curious how many incidents each year reach this impact level. US-CERT has added provisions that require contacting US-CERT within one hour of discovering that a previously reported incident when it is discovered that the impact falls into this category. This is a welcome addition, as most critical details about an incident are not known within the current one hour initial reporting time frame, and there needs to be more communication in general between agencies and US-CERT about ongoing incidents and their impact.”
The new definition differs from the 2015 FISMA guidance 1 in that it no longer reference “medium or high functional impact” to the agency and doesn’t talk about recovery of data in a specific amount of time.
In the new guidance, OMB emphasizes that in the end, the decision about whether to report a major incident to US-CERT and to Congress lies with the agency and how it’s impacted by the attack.
“The guidance is very action oriented. It tells agencies here is what you need to do if an incident occurs, who you need to report to and share with, and that is very helpful in terms of operationalizing the response of government to incidents and reporting in the FISMA context,” said Dan Chenok, the executive director of the IBM Center for the Business of Government. “It continues the trend of moving FISMA from compliance to action.”
Part of operationalization of FISMA that Chenok is talking about is an effort to improve overall incident reporting. One issue that comes up every year is the number of cyber incidents agencies report to US-CERT and the question is whether agencies are reporting better data or are suffering more attacks.
In 2015, for example, agencies reported more than 77,000 incidents to US-CERT, up from 67,000 in 2014 and 61,000 in 2013.
“OMB and DHS are instituting a process to improve federal incident data to better understand information security incident trends, determine the impact incidents have on federal agencies and inform governmentwide policies to improve information security protections,” the guidance stated. “In October 2016, US-CERT released updated incident reporting guidelines to agencies that specify additional mandatory reporting fields for the US-CERT Incident Reporting System.”
Agencies must begin reporting these new metrics by April 1.
Cole said the change in incident reporting and desire for a deeper understanding likely comes from the Cybersecurity National Action Plan (CNAP).
“Through CNAP, DHS is essentially authorized to do much deeper penetration testing against federal agencies. That could include using the same techniques and methods that nation-state sponsored attackers use to infiltrate government systems and networks,” he said. “The results of this activity should help agencies to further sure up internal pathways and access methods that attackers might use to navigate and maintain persistence inside government networks. This is a very good thing if DHS does it correctly and I understand that these efforts have already been underway.”
Chenok added that the FISMA guidance also is trying to integrate a number of related issues around major cyber incidents, including Presidential Policy Directive 41 (PPD 41).
“It’s helpful to align this terminology and create a better operational consistency across agencies in their understanding of basic rules. At the same time, it enables agencies to use judgment in applying those standards, which are clearly spelled out. It’s not creating a new policy but align policies,” Chenok said. “My understanding, based on how guidance is framed, is they are creating an alignment to have a consistent view across all agencies. Having a common understanding of how to proceed when there is an incident, how to trigger a whole of government response and what measures should be used when the trigger is implemented is part of what the memo is trying to do.”
Another important change in the FISMA guidance is the integration of cybersecurity and privacy.
Chenok said OMB tried to more clearly state the responsibilities of both security and privacy officials when a breach happens and builds off the update to Circular A-130 released earlier this year.
Cole said the fact OMB wants agencies to have a written policy or procedure for ensuring that any new collection of personal information is necessary.
“Also, instead of simply asking whether they have privacy documentation, etc., they would like this year’s memorandum to include actual links to publically available documents and materials about the agency’s privacy program,” he said. “This should help to assure the public that the government takes the collection, security and use of PII is a serious and transparent way.”