OMB sets one-hour data breach rule

With the deluge of recent data breaches, the Office of Management and Budget is pushing agencies toward stricter IT security accountability.Agencies now have a clear standard for reporting all incidents and a comprehensive definition of personally identifiable information.Some chief information security officers said OMB’s effort clarifies the steps agencies must take when an incident occurs—report it to the U.S. Computer Emergency Readiness Team within one hour of discovery—and simplifies the explanation of which incidents need to be recorded immediately.The new standards will help obtain executive buy-in for IT security programs they are implementing, CISOs said.“People generally know what you mean when you say personal information. But it helps us develop our policies and procedures to make sure we’re on the same level as to what we mean when we say sensitive information,” said Patrick Howard, the Housing and Urban Development Department’s CISO.Previously, agencies worked on different reporting timetables, depending on the incident. But in a recent memo, OMB strengthened notification procedures by making the one-hour requirement standard for any compromise of sensitive personal data.“You should report all incidents involving personally identifiable information in electronic or physical form and should not distinguish between suspected and confirmed breaches,” Karen Evans, OMB administrator for e-government and IT, wrote in the memo.“That’s clear-cut. It’s stringent but certainly doable,” Howard said.OMB issued the memo despite the fact that the Federal Information Security Management Act of 2002 already requires agencies to report security incidents within one hour to the U.S. CERT, which operates under the Homeland Security Department.“Under prior reporting requirements, agency performance was mixed,” said an OMB official, who requested anonymity.CISOs also have wanted OMB to clearly define personally identifiable information. That definition includes such information as someone’s name, Social Seciurity number, date and place of birth, mother’s maiden name and biometric records, as well as their educational, financial, medical, employment or criminal histories. The comprehensive definition makes it easier to include in glossaries of what CISOs are identifying.OMB has increased its guidance to push agencies toward stronger information security accountability following recent reports of data breaches at several agencies, including the Energy and Agriculture departments, the IRS and Navy.But it was the delayed report of the theft of sensitive information belonging to up to 26 million veterans, reservists and active-duty military—three weeks after the incident—that cast the spotlight not only on gaps in agencies’ security controls but also on notification procedures.And agencies are making gains with the addition of U.S. CERT’s operating and reporting procedures for agencies, OMB said.“Reporting performance is improving, but our goal has always been to prevent incidents before they occur. Agency managers and IGs have the primary role to ensure the agencies properly secure their operations and assets,” the OMB official said.The Government Accountability Office also found incident reporting varied in its analysis of the incident response plans and procedures of 20 agencies.“We reported that agencies were not consistently reporting cybersecurity incidents to U.S. CERT,” said Gregory Wilshusen, director of GAO’s information security issues.Some agencies reported incidents to U.S. CERT, others to law enforcement, while others did not report incident information outside their agency, he said.U.S. CERT officials also cited agencies’ inadequate details of incidents in the GAO report.“The level of detail that accompanied incident reports may not provide any information about the actual incident or method of attack,” Wilshusen said.OMB, however, is working against the self-protection of agency officials, said security expert Alan Paller, research director of the SANS Institute in Bethesda, Md.“Traditionally, agencies believed the risk [of] someone finding out they were a source of a data breach is lower than the risk of the pain they would take immediately if they reported it,” he said, adding there was only a small chance that the data would show up later.Heightened attentionThe attention from the flood of reported data breaches will help CISOs focus attention on the issue, Howard said.“This helps us do our job and elevate the importance that needs to be placed on it,” he said.HUD, like other agencies, implements its IT security program in cooperation with program offices.Howard sets the guidance, provides instructions and monitors compliance.“But we really have to rely on program offices and system owners to implement controls,” he said.To report a data breach, an individual would report it to the department’s national help desk. The help desk pushes it up to Howard, who reports the incident to U.S. CERT on its secure Web site to provide notification.The agency later provides a detailed report.U.S. CERT forwards the information with the appropriate Identity Theft Task Force contact, within one hour of notification by an agency, OMB said.OMB also has directed agencies to provide additional data about IT security for fiscal 2006 FISMA reports and 2008 budget submissions.