Free Cyber Risk Analysis: Your Top Cyber Risks in 3 Clicks

Get Started
Request Demo

NIST Cybersecurity Framework

OMB Memo For Federal Cyber Incident Reporting Requirements

down-arrow

The White House Office of Management and Budget issued a memorandum laying out the procedures and requirements federal agencies should follow in reporting a cyber incident. The memo uses the NIST guidelines to direct the project, and uses past requirements under the Federal Information Security Modernization Act (FISMA).

“This memorandum describes the processes for Federal agencies to report to OMB and, where applicable, the Department of Homeland Security (DHS),” - OMB memo M-18-02. “Additionally, this memorandum consolidates requirements from prior OMB annual FISMA guidance to ensure consistent, government-wide performance and agency adoption of best practices,” according to the memo.

The memo also defines what constitutes a cyber incident that qualifies for a reported to OMB, based on NIST best practices. “A major incident is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people,” the OMB memo states. “Agencies should determine the level of impact of the incident by using the existing incident management process established” by NIST Special Publication (SP) 800-61 and the U.S. Computer Emergency Readiness Team's National Cybersecurity Incident Scoring System.

NIST's Cybersecurity Framework, that the Trump administration is requiring all federal agencies to use in managing their data risks, is part of the recommendation here as federal agencies follow these NIST guidelines. The OMB memo stated that "at a minimum, the CIO and the CISO positions are designated as sensitive positions and the incumbents have Top Secret Sensitive Compartmented Information access". The OMB also said that “This designation is necessary given that information regarding malicious-actor TTPs is often classified.”

National security and intelligence community systems are exempt from the OMB memo.

You may also like

Critical Capabilities of Cyber ...
on May 20, 2024

In today's digital landscape, robust cybersecurity risk assessment tools are crucial for effectively identifying and mitigating cyber threats. These tools serve as the first line ...

A Practical Approach to FAIR Cyber ...
on May 10, 2024

In the ever-evolving world of cybersecurity, managing risk is no longer about simply setting up firewalls and antivirus software. As cyber threats become more sophisticated, ...

Unveiling the Best Cyber Security ...
on April 24, 2024

Considering the rollout of regulations like the SEC Cybersecurity Rule and updates to the NIST Cybersecurity Framework; governance and Board communication are rightfully ...

April Product Update
on April 18, 2024

The CyberSaint team is dedicated to providing new features to CyberStrong and advancing the CyberStrong cyber risk management platform to address all your cybersecurity needs. ...

Bridging the Gap: Mastering ...
on April 22, 2024

In today's digital landscape, cybersecurity has become essential to corporate governance. With the increasing frequency and sophistication of cyber threats, the SEC has set forth ...

March Product Update
on March 21, 2024

The CyberSaint team is dedicated to advancing the CyberStrong platform to meet your cyber risk management needs. These latest updates will empower you to benchmark your ...