Following a spate of agency data breaches -- and a nudging from Congress -- the White House is updating annual cybersecurity guidelines that, for the first time, provide a definition for a “major” cyberincident.
The new definition -- mandated by a 2014 update to federal cyber legislation -- comes in annual guidance issued to agencies by the Office of Management and Budget as part of the Federal Information Security Management Act.
Here are the new criteria for a “major” incident:
- Involves information that is classified or “controlled unclassified information,” a broader category that includes proprietary information, intellectual property, trade secrets or personally identifiable information.
- Affects at least 10,000 users and is not “recoverable” (for example, sensitive data is exfiltrated from agency systems and publicly posted online. Or, the time to recover is unpredictable or would require additional resources.)
- Causes an agency to lose the ability to provide a critical service to at least some users. A “high-functional” impact, meanwhile, describes an incident in which an agency loses the ability to provide all critical services to users.
- Involves the exfiltration, modification, deletion or any other type of unauthorized access of information or system.
The new guidance says agencies can consult with the Department of Homeland Security about whether an incident meets the “major” threshold, but ultimately it’s up to the victim agency to make the final call.
Once agencies notify DHS of a major incident, OMB needs to be looped in within an hour, according to the guidance.
Lawmakers need to be notified within seven days. After the initial notification, the agency must keep providing updates to lawmakers including additional information about the threats, actors, response and remediation.
Agencies should notify individuals who may be affected by a breach of sensitive government data as “expeditiously as practicable, without unreasonable delay.”