<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Cybersecurity Framework

OMB Memo For Federal Cyber Incident Reporting Requirements

down-arrow

The White House Office of Management and Budget issued a memorandum laying out the procedures and requirements federal agencies should follow in reporting a cyber incident. The memo uses the NIST guidelines to direct the project, and uses past requirements under the Federal Information Security Modernization Act (FISMA).

“This memorandum describes the processes for Federal agencies to report to OMB and, where applicable, the Department of Homeland Security (DHS),” - OMB memo M-18-02. “Additionally, this memorandum consolidates requirements from prior OMB annual FISMA guidance to ensure consistent, government-wide performance and agency adoption of best practices,” according to the memo.

The memo also defines what constitutes a cyber incident that qualifies for a reported to OMB, based on NIST best practices. “A major incident is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people,” the OMB memo states. “Agencies should determine the level of impact of the incident by using the existing incident management process established” by NIST Special Publication (SP) 800-61 and the U.S. Computer Emergency Readiness Team's National Cybersecurity Incident Scoring System.

NIST's Cybersecurity Framework, that the Trump administration is requiring all federal agencies to use in managing their data risks, is part of the recommendation here as federal agencies follow these NIST guidelines. The OMB memo stated that "at a minimum, the CIO and the CISO positions are designated as sensitive positions and the incumbents have Top Secret Sensitive Compartmented Information access". The OMB also said that “This designation is necessary given that information regarding malicious-actor TTPs is often classified.”

National security and intelligence community systems are exempt from the OMB memo.

You may also like

How Cyber Risk Management Tools ...
on December 6, 2023

In the ever-expanding digital landscape, businesses continually embrace many technologies to stay competitive and agile. However, this rapid adoption often leads to a complex web ...

The Complications of Cyber Risk ...
on November 28, 2023

In an era where digital landscapes are expanding unprecedentedly, the need for robust cybersecurity measures has become more critical than ever. As organizations strive to ...

Why I Joined CyberSaint: It’s All ...
on December 5, 2023

As I join CyberSaint as Chief Product Officer, I can't help but reflect on the path that led me to this opportunity. In college, I remember listening to Pink Floyd’s “The Wall” in ...

November Product Update
on December 5, 2023

With the latest release of updates to the CyberStrong platform, we are dedicated to providing solutions that empower you to assess your security posture effectively and ...

The FAIR Risk Model: A Practical ...
on December 5, 2023

Contending with the increased interest by Boards and executive leaders in cybersecurity, CISOs and security teams need a risk assessment model that can easily translate cyber risk ...

How to Select the Right Cyber Risk ...
on December 5, 2023

As organizations recognize the importance of cyber risk management, the challenge of selecting the right cyber risk management services for the company comes. An efficient cyber ...