<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Cybersecurity Framework

OMB Memo For Federal Cyber Incident Reporting Requirements

down-arrow

The White House Office of Management and Budget issued a memorandum laying out the procedures and requirements federal agencies should follow in reporting a cyber incident. The memo uses the NIST guidelines to direct the project, and uses past requirements under the Federal Information Security Modernization Act (FISMA).

“This memorandum describes the processes for Federal agencies to report to OMB and, where applicable, the Department of Homeland Security (DHS),” - OMB memo M-18-02. “Additionally, this memorandum consolidates requirements from prior OMB annual FISMA guidance to ensure consistent, government-wide performance and agency adoption of best practices,” according to the memo.

The memo also defines what constitutes a cyber incident that qualifies for a reported to OMB, based on NIST best practices. “A major incident is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people,” the OMB memo states. “Agencies should determine the level of impact of the incident by using the existing incident management process established” by NIST Special Publication (SP) 800-61 and the U.S. Computer Emergency Readiness Team's National Cybersecurity Incident Scoring System.

NIST's Cybersecurity Framework, that the Trump administration is requiring all federal agencies to use in managing their data risks, is part of the recommendation here as federal agencies follow these NIST guidelines. The OMB memo stated that "at a minimum, the CIO and the CISO positions are designated as sensitive positions and the incumbents have Top Secret Sensitive Compartmented Information access". The OMB also said that “This designation is necessary given that information regarding malicious-actor TTPs is often classified.”

National security and intelligence community systems are exempt from the OMB memo.

You may also like

NIST vs. ISO –What You Need To Know
on June 24, 2022

Organizations are increasingly on the lookout for ways to strengthen their cybersecurity capabilities. Many have found solace in compliance frameworks that help guide and improve ...

Top 5 Recommendations For Your ...
on June 22, 2022

Discover, design, validate, promote, and sustain best practice cyber protection solutions to safeguard your people and processes. As the cyber attack surface expands, the Center ...

June Product Update
on June 21, 2022

It’s a celebration! 🎵♪🎵♪ ♩Automate your scores, come on (Let’s automate) Automate your scores, come on (Let’s automate) There’s a party goin’ on right here An automation to last ...

Why You Need CIS Controls for ...
on June 17, 2022

The Center for Internet Security (CIS) is a non-profit organization that helps public sectors and private sectors improve their cybersecurity. The organization aims to help small, ...

Small Business Cybersecurity ...
on June 15, 2022

To achieve peace of mind in the modern threat landscape, small business owners must have a solid security strategy and budget in place. VIPRE’s SMB Security Trends report state ...

Do Small Businesses and Startups ...
on June 10, 2022

Did you know that about 60% of small businesses shut down within 6 months by falling victim to a data breach or cyber-attack, where the average global breach cost hovers at $3.62 ...