White House Tightens Breach Rules For Federal Agencies
Last Wednesday, the Office of Management and Budget (OMB) sent a memorandum to the chief information officers of all federal agencies telling them that they must report any data breach to US-CERT within 60 minutes of discovery. US-CERT, which is part of the Department of Homeland Defense, is the federal information security clearinghouse and watchdog.
"You should not distinguish between suspected and confirmed breaches," the memo continued.
In turn, US-CERT is then to forward any such report to the "appropriate Identity Theft Task Force point-of-contact" within an hour of being notified.
Gartner analysts John Pescatore and Jay Heiser were unimpressed.
"[We] believe that the new OMB memorandum is primarily a public-relations response to recent high-profile security incidents," wrote Pescatore and Heiser in an online research note. "Nevertheless, we think it represents a positive change."
They noted that the notification timing shift meant events which may have gone unreported to US-CERT for up to a week must now be forwarded much faster. "An improper-usage incident — such as the detection of sensitive personal information on a home computer or other unsupported device — must now be reported within one hour," Pescatore and Heiser continued. "This will reduce the possibility that such incidents will be reported in the news media before being formally reported by the relevant government agency."
Even so, the existing definition of "improper-usage" is too murky, said the Gartner analysts, and in the long run, faster reporting won't do any good unless the government's security response is drastically improved.
Also on Tuesday, another arm of the OMB issued a memo to all departments and agencies spelling out new information they must provide to Congress under the Federal Information Security Management Act of 2002. Data collected under FISMA is used to generate scorecards on each agency's information security practices.
The most recent report card slapped the federal government as a whole with a D+ grade.