OMB Memo For Federal Cyber Incident Reporting Requirements

The White House Office of Management and Budget issued a memorandum laying out the procedures and requirements federal agencies should follow in reporting a cyber incident. The memo uses the NIST guidelines to direct the project, and uses past requirements under the Federal Information Security Modernization Act (FISMA).

“This memorandum describes the processes for Federal agencies to report to OMB and, where applicable, the Department of Homeland Security (DHS),” - OMB memo M-18-02. “Additionally, this memorandum consolidates requirements from prior OMB annual FISMA guidance to ensure consistent, government-wide performance and agency adoption of best practices,” according to the memo.

The memo also defines what constitutes a cyber incident that qualifies for a reported to OMB, based on NIST best practices. “A major incident is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people,” the OMB memo states. “Agencies should determine the level of impact of the incident by using the existing incident management process established” by NIST Special Publication (SP) 800-61 and the U.S. Computer Emergency Readiness Team's National Cybersecurity Incident Scoring System.

NIST's Cybersecurity Framework, that the Trump administration is requiring all federal agencies to use in managing their data risks, is part of the recommendation here as federal agencies follow these NIST guidelines. The OMB memo stated that "at a minimum, the CIO and the CISO positions are designated as sensitive positions and the incumbents have Top Secret Sensitive Compartmented Information access". The OMB also said that “This designation is necessary given that information regarding malicious-actor TTPs is often classified.”

National security and intelligence community systems are exempt from the OMB memo.