Request Demo

NIST Cybersecurity Framework

OMB Memo For Federal Cyber Incident Reporting Requirements

down-arrow

The White House Office of Management and Budget issued a memorandum laying out the procedures and requirements federal agencies should follow in reporting a cyber incident. The memo uses the NIST guidelines to direct the project, and uses past requirements under the Federal Information Security Modernization Act (FISMA).

“This memorandum describes the processes for Federal agencies to report to OMB and, where applicable, the Department of Homeland Security (DHS),” - OMB memo M-18-02. “Additionally, this memorandum consolidates requirements from prior OMB annual FISMA guidance to ensure consistent, government-wide performance and agency adoption of best practices,” according to the memo.

The memo also defines what constitutes a cyber incident that qualifies for a reported to OMB, based on NIST best practices. “A major incident is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people,” the OMB memo states. “Agencies should determine the level of impact of the incident by using the existing incident management process established” by NIST Special Publication (SP) 800-61 and the U.S. Computer Emergency Readiness Team's National Cybersecurity Incident Scoring System.

NIST's Cybersecurity Framework, that the Trump administration is requiring all federal agencies to use in managing their data risks, is part of the recommendation here as federal agencies follow these NIST guidelines. The OMB memo stated that "at a minimum, the CIO and the CISO positions are designated as sensitive positions and the incumbents have Top Secret Sensitive Compartmented Information access". The OMB also said that “This designation is necessary given that information regarding malicious-actor TTPs is often classified.”

National security and intelligence community systems are exempt from the OMB memo.

You may also like

Why GRC Needs IRM
on February 15, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
Government Shutdown Cybersecurity ...
on February 12, 2019

In January, CyberSaint CEO George Wrenn penned his thoughts on the impact of the government shutdown. In his post, George foresaw the outcome of the shutdown not being a future ...

The Cybersecurity Skills Gap: The ...
on February 7, 2019

The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag ...

George Wrenn
The Post-Digitization CISO
on February 5, 2019

Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As ...

Integrated Risk Management and ...
on January 31, 2019

With technology permeating every aspect of a business, one begins to wonder what technology is reserved for digital risk management rather than the other facets of integrated risk ...

Department of Defense Launches ...
on January 29, 2019

The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012 requiring all members of the Department of Defense’s supply chain to comply ...