A crash course in security incident reporting

FY 2003 report to Congress

Security incidents that federal agencies reported in 2003 reveal a sharply divided picture of information security across the federal government.

The incident numbers, which the Office of Management and Budget reported to Congress March 3, were so divergent that OMB officials say they will go back to the drawing board to help agencies understand incident reporting requirements.

"We do have a governmentwide definition" for a security incident, said an OMB official who spoke on condition of anonymity. "But what we're finding is interpretation differences, even between bureaus."

Despite a federal definition, the Department of Housing and Urban Development reported a single information security incident last year, while Department of Health and Human Services officials recorded 348.9 million incidents.

Without more information than the aggregate numbers, the OMB official said it is impossible to know which number, if any, is suspect. However, in their report to Congress, OMB officials expressed "a continuing concern regarding the timeliness and accuracy of incident reporting by agencies."

Agencies also poorly notified the Federal Computer Incident Response Center of security incidents. Although such reporting is mandatory, agencies reported only 506,291 incidents to FedCIRC last year, a year in which federal agencies, in some cases, said they had had millions of such incidents.

Partly because of the difficulty of getting good incident data, Homeland Security Department officials have created several interagency groups to work on the problem. Indeed, one option might be a technical one, in which FedCIRC would pull incident data automatically from agency systems, the OMB report said. Automating the incident reporting process would greatly increase the raw data available for analysis.

What is most significant, though, is the number of times an attacker gains access and takes control of a machine remotely. "For the most part, you have no clue," either about when or how often this actually is occurring, said Alan Paller director of research at the SANS Institute.

Rutrell Yasin contributed to this article.

Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.