Section II:Updated Major Incident Definition and DHS US-CERT Incident Notification Guidelines
Updated Definition of Major Incident
FISMA 2014 authorizes OMB to define the term “major incident” and further directs agencies to notify Congress of a “major incident.” This Memorandum provides agencies with a definition and framework for assessing whether an incident7 is a “major incident” for purposes of the Congressional reporting requirements under FISMA 20148. This Memorandum also provides specific considerations for determining when a breach 9 constitutes a “major incident.” This guidance replaces the “major incident” definition previously provided in OMB Memorandum M- 16-03, Fiscal Year 2015-2016 Guidance on Federal Information Security and Privacy Management Requirement.
A “major incident” is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people10. Agencies should determine the level of impact of the incident by using the existing incident management process established in NIST Special Publication CSP) 800-61, Computer Security Incident Handling Guide, and are encouraged to use the US-CERT National Cybersecurity Incident Scoring System (NCISS), which uses the following factors 11:
- Functional Impact;
- Observed Activity;
- Location of Observed Activity;
- Actor Characterization;
- Information Impact;
- Cross-Sector Dependency; and
- Potential Impact.
Appropriate analysis of the incident will include the agency CIO, the Chief lnformation Security Officer (CISO), mission or system owners, and if the occurrence is a breach, the SAOP. The definition above leverages the NCISS and therefore creates uniformity in terminology and criteria utilized by agencies and the US-CERT incident responders.
Other than breaches (which are addressed separately), if the incident meets the definition of a “major incident,” it is also a “significant cyber incident” for purposes of PPD-41 12. Thus, a “major incident” as defined above will also trigger the coordination mechanisms outlined in PPD-41, including a Cyber Unified Coordination Group (CUCG).
A Breach that Constitutes a Major Incident
A breach constitutes a “major incident” when it involves PII that, if exfiltration, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people 13. An unauthorized modification of 14, unauthorized deletion of 15, unauthorized exfiltration of 16, or unauthorized access to 17 100,000 or more individuals’ PII constitutes a “major incident” 18.
Agencies must notify appropriate Congressional Committees per FISMA 201419 of a “major incident” no later than seven (7) days after the date on which the agency determined that it has a reasonable basis to conclude that a “major incident” has occurred 20. This report should take into account the information known at the time of the report, the sensitivity of the details associated with the incident, and the classification level of the information. When a “major incident” has occurred, the agency must also supplement its initial seven (7) day notification to Congress with pertinent updates within a reasonable period of time after additional information relating to the incident is discovered. This supplemental report must include summaries of:
- The threats and threat actors, vulnerabilities, and impacts relating to the incident;
- The risk assessments conducted of the affected information systems before the date on which the incident occurred;
- The status of compliance of the affected information systems with applicable security requirements at the time of the incident; and
- The detection, response, and remediation actions.
Congressional Reporting of a Breach
Agencies must notify appropriate Congressional Committees per FISMA 2014 21 no later than seven (7) days after the date on which there is a reasonable basis to conclude that a breach that constitutes a “major incident” has occurred. In addition, agencies must also supplement their initial seven (7) day notification to Congress with a report no later than 30 days after the agency discovers the breach22. This supplemental report must include 23:
- A summary of information available about the breach, including how the breach occurred, based on information available to agency officials on the date which the agency submits the report;
- An estimate of the number of individuals affected by the breach, including an assessment of the risk of harm to affected individuals, based on information available to agency officials on the date on which the agency submits the report;
- A description of any circumstances necessitating a delay in providing notice to affected individuals; and
- An estimate of whether and when the agency will provide notice to affected individuals.
Nothing in this guidance is intended to preclude an agency reporting an incident or a breach to Congress that does not meet the threshold for a major incident.
Additional Guidance and Processes for Reporting Major Incidents:
- Although agencies may consult with DHS US-CERT on whether an incident is considered a “major incident,” it is ultimately the responsibility of the impacted agency to make this determination.
- Agencies should report to DHS US-CERT within one (1) hour of determining an incident to be “major,” or should update US-CERT within one (1) hour of determining that an already-reported incident has been determined to be major.
- If the agency determines a major incident has occurred, DHS is then required to notify OMB within one (1) hour of being so alerted.
Updated Reporting Requirements for Agencies and US-CERT
OMB and DHS are instituting processes, described below, to improve Federal incident data to better understand information security incident trends, determine the impact incidents have on Federal agencies, and inform government-wide policies to improve information security protections.
In October 2016, US-CERT released updated incident reporting guidelines to agencies that specify additional mandatory reporting fields for the US-CERT Incident Reporting System. To assist agencies in using the new guidelines, DHS will host a series of information sessions to familiarize agencies with the updated reporting fields and agencies will begin reporting in this revised format by April 1, 2017.
Agencies and US-CERT will also now participate in a formal data validation process to ensure the reported incident data is comprehensive and accurate. This improved information will serve as a foundation for agencies and DHS to perform investigative and forensic work. The framework for this process is as follows:
- US-CERT will provide every Federal agency with a log of the incidents it has reported by the 5th day of each quarter; and
- Agencies will review and validate that the data is correct and up to date by the 20th day of each quarter.
OMB will provide a high-level summary of agency incident data in the Annual FISMA Report to Congress in accordance with 44 U.S.C. § 3553.
7: An “incident” is defined under FISMA 2014 as “an occurrence that
(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or
(B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.” 44 U.S.C. § 3552(b)(2).
8: See 44 U.S.C. § 3554(b)(7).
9: A breach is defined as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses PII or (2) an authorized user accesses PII for an other than authorized purpose. The term PII refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can be used to distinguish or trace an individual’s identity, the term PII is necessarily broad.
10: Level 3 (orange) or higher on the Cyber Incident Severity Schema, which includes a Level 4 event (red) defined as one that is “likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties,” and a Level 5 event (black), defined as one that “poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of US persons.”
13: The analysis for reporting a major breach to Congress is distinct and separate from the assessment of the potential risk of harm to individuals resulting from a suspected or confirmed breach. When assessing the potential risk of harm to individuals, agencies should refer to OMB’s guidance on preparing for and responding to a breach of PII.
14: Unauthorized modification is defined as the act or process of changing components of information and/or information systems.
15: Unauthorized deletion is defined as the act or process of removing information from an information system.
16: Unauthorized exfiltration is defined as the act or process of obtaining, without authorization or in excess of authorized access, information from an information system without modifying or deleting it.
17: Unauthorized access is defined as the act or process of logical or physical access without permission to a Federal agency information, information system, application, or other resource.
18: Only when a breach of PU that constitutes a “major incident” is the result of a cyber incident will it meet the definition of a “significant cyber incident” and trigger the coordination mechanisms outlined in PPD-41.
19: The Committee on Oversight and Government Reform, Committee on Homeland Security, and the Committee on Science, Space, and Technology of the House of Representatives; the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Science, and Transportation of the Senate; and the appropriate authorization and appropriations committees of Congress. See 44 U.S.C. § 3554(b)(7)(C)(iii)(III).
20: Thus, once an agency (based on initial incident analysis) arrives at a reasonable basis to conclude that a major incident has occurred, it must then report the suspected major incident to Congress within seven (7) days.
21: The Committee on Oversight and Government Reform, Committee on Homeland Security, and the Committee on Science, Space, and Technology, of the House of Representatives; the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Science, and Transportation of the Senate; the appropriate authorization and appropriations committees of Congress; the Committee on the Judiciary of the Senate; and the Committee on the Judiciary of the House of Representatives. See 44 U.S.C. § 3553, note (“Breaches”).
22: 44 U.S.C. § 3553, note (“Breaches”).