Driver: Handling and Reporting Computer Security Incidents

MEMORANDUM TO CHIEF INFORMATION OFFICERS

FROM:    Mark Forman, Associate Director for Information Technology and Electronic Government
RE:          Handling and Reporting Computer Security Incidents

The Government Information Security Reform Act (Security Act) mandates procedures for detecting, reporting, and responding to computer security incidents. A formal incident response capability minimizes the damage that can result from hackers, computer viruses and other malicious code.

This memorandum reiterates the responsibility of each agency to institute an incident handling capability to discover and respond to events that could disrupt normal system operations. In addition, this memo restates the responsibility of Federal civilian agencies to report all unauthorized system activity quickly and accurately to the Federal Computer Incident Response Center (FedCIRC) at GSA, and where appropriate to law enforcement authorities such as the FBI's National Infrastructure Protection Center as required by the Security Act.

In the FY 2001 Report to Congress on Federal Government Information Security Reform, OMB noted that incident handling was one of six common government-wide security weaknesses. Many agencies had virtually no meaningful system to test or monitor system activity across their bureaus and were therefore unable to detect intrusions or virus infections, placing individual agency systems and operations at great risk.

As you know, OMB's FY02 GISRA guidance contains specific performance measures on agency compliance with incident reporting requirements, as well as patch management activities. As part of the GISRA report due September 16th, CIOs should certify that both the agency and each of its components have established processes that ensure timely, accurate reporting to FedCIRC on computer security incidents, and where appropriate to law enforcement authorities such as the FBI's National Infrastructure Protection Center.

Due to the Federal government's inter-networked environment, agency components that fail to detect and report IT security incidents will likely cause significant problems throughout the agency network, and may impact other Departments and agencies. Therefore, I ask that you evaluate the specific resources, funding and authority for your incident response team. In addition, I ask that you review security training to ensure that users understand the proper procedures to follow when an incident occurs. This will increase the likelihood that incidents are reported as soon as they occur, and that system damage is contained.

As the federal civilian government's trusted focal point for computer security incident reporting, FedCIRC provides agencies assistance with incident prevention and response. For FedCIRC to successfully perform its mission, it must have an accurate depiction of the status of incidents in all agency bureaus and operating divisions.

Along with effective reporting, agencies must implement security patches in a timely manner. To improve the Federal government's ability to rapidly respond to security threats and vulnerabilities, FedCIRC will begin offering a web-enabled service to facilitate the downloading of security patches for commercial operating systems later this year. FedCIRC will inform agencies on the development of the Patch Capability.

Agencies may submit computer security incident reports to FedCIRC either via e-mail to fedcirc@fedcirc.gov with a cc to info@fedcirc.gov, toll free telephone hotline (888) 282-0870, or fax 703 326-9461 (703 326-9413 for secure fax). If the incident information is sensitive, FIPS 140-2 compliant encryption can be used. The attachment to this memorandum provides specific reporting instructions.

For additional information regarding the FedCIRC incident handling program which continues to evolve, as well as the upcoming Patch Capability, contact Larry Hale at (202) 708-7000 or Lawrence.Hale@gsa.gov.

Thank you for your attention to these important security initiatives.

Attachment: FedCIRC reporting instructions (pdf file)