- The U.S. Computer Emergency Readiness Team (US-CERT) announced its new cybersecurity incident notification guidelines, which will go into effect on April 1, 2017.
The guidelines will affect all Federal departments and agencies, as well as state, local, tribal, and territorial government entities, according to the US-CERT statement. Information Sharing and Analysis Organizations and foreign, commercial, and private-sector organizations will also need to adhere to the new requirements when submitting incident notifications.
"Agencies must report information security incidents, where the confidentiality, integrity, or availability of a federal information system of a civilian, Executive Branch agency is potentially compromised, to the [National Cybersecurity and Communications Integration Center]/US-CERT with the required data elements, as well as any other available information, within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department," the notification explained.
An incident is considered an occurrence that “actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system,” or one that “constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies," according to the Federal Information Security Modernization Act of 2014 (FISMA).
For major incidents, Congress must be notified within seven days, the guidelines stated. It is up to the affected agency to determine if an incident should be “major,” and it may also consult with US-CERT to help make the final decision.
“All major incidents are also considered significant cyber incidents, meaning they are likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties or public health and safety of the American people,” the guidance explained, citing Presidential Policy Directive 41 (PPD-41) - United States Cyber Incident Coordination.
“These significant cyber incidents demand unity of effort within the Federal Government and especially close coordination between the public and private sectors as appropriate.”
US-CERT added that there are seven required steps that agencies must go through when they are notifying it of an incident:
- Identify the current level of impact on agency functions or services (Functional Impact).
- Identify the type of information lost, compromised, or corrupted (Information Impact).
- Estimate the scope of time and resources needed to recover from the incident (Recoverability).
- Identify when the activity was first detected.
- Identify the number of systems, records, and users impacted.
- Identify the network location of the observed activity.
- Identify point of contact information for additional follow-up.
From there, US-CERT explained that other information should be included in the notification if it is known at the time. This includes but is not limited to listing the attack vector(s) that led to the incident, any indicators of compromise, and if any mitigation activities had been taken in response to the incident.
In terms of healthcare cybersecurity incidents, covered entities and business associates must ensure they adhere to HIPAA regulations for reporting potential security incidents. However, understanding how healthcare cybersecurity incidents may impact other agencies is also important.
With healthcare cybersecurity threats continuing to evolve, and ransomware becoming an increasing issue, covered entities should take note of other federal reporting requirements and warnings issued from those agencies.
For example, the US Department of Homeland Security issued a ransomware alert through US-CERT earlier this year. Organizations that use networked systems were warned of the potential dangers stemming from that type of malware.
DHS stated that the alert was designed “to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.”
“Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading,” explained the alert, which was released in conjunction with the Canadian Cyber Incident Response Centre (CCIRC). “Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.”