Agencies get cyberattack guidance
- By Diane Frank
- Oct 31, 2000
CIO Council memo
The CIO Council and the Office of Management and Budget issued guidelines
this week directing agencies to coordinate cyberattack reports and warnings
with the Federal Computer Incident Response Capability.
The memorandum details the processes that agencies should follow to
improve coordination and interaction with FedCIRC at the General Services
The memo requires agencies to:
* Report externally generated security incidents to FedCIRC.
* Make sure alerts and warnings from FedCIRC are received by the appropriate
people at each agency.
* Acknowledge, when necessary, that they received the FedCIRC messages
and explain the corrective actions taken.
The memo was signed by Sally Katzen, chairwoman of the CIO Council and
deputy director for management at OMB, and Jim Flyzik, vice chairman of
the council and CIO of the Treasury Department.
The CIO Council's Security, Privacy and Critical Infrastructure committee
developed the memo with OMB, GSA and agencies throughout government. It
comes in the wake of the problems with the reporting and response processes
that were highlighted by e-mail viruses earlier this year.
When the "love bug" hit in May, agencies and FedCIRC found themselves
struggling to get out warnings and put protections in place, and the General
Accounting Office testified before Congress that better information sharing
procedures are needed.
By coordinating with FedCIRC, agencies will be able to improve security
not only for themselves, but also for other agencies. "When faced with security
incidents, an agency should respond in a manner that both protects its own
information assets and helps other organizations that might also be affected,"
the memo states.
The memo includes a table indicating three levels of agency contact
information for FedCIRC, including the agency CIO and the security manager
or system administrator for the agency's headquarters and offices. OMB asked
agencies to send contact information to FedCIRC by the end of October.
It also lists the type of information that should be shared between
agencies and FedCIRC and when the sharing should occur.