A crash course in security incident reporting

FY 2003 report to Congress

Security incidents that federal agencies reported in 2003 reveal a sharply divided picture of information security across the federal government.

The incident numbers, which the Office of Management and Budget reported to Congress March 3, were so divergent that OMB officials say they will go back to the drawing board to help agencies understand incident reporting requirements.

"We do have a governmentwide definition" for a security incident, said an OMB official who spoke on condition of anonymity. "But what we're finding is interpretation differences, even between bureaus."

Despite a federal definition, the Department of Housing and Urban Development reported a single information security incident last year, while Department of Health and Human Services officials recorded 348.9 million incidents.

Without more information than the aggregate numbers, the OMB official said it is impossible to know which number, if any, is suspect. However, in their report to Congress, OMB officials expressed "a continuing concern regarding the timeliness and accuracy of incident reporting by agencies."

Agencies also poorly notified the Federal Computer Incident Response Center of security incidents. Although such reporting is mandatory, agencies reported only 506,291 incidents to FedCIRC last year, a year in which federal agencies, in some cases, said they had had millions of such incidents.

Partly because of the difficulty of getting good incident data, Homeland Security Department officials have created several interagency groups to work on the problem. Indeed, one option might be a technical one, in which FedCIRC would pull incident data automatically from agency systems, the OMB report said. Automating the incident reporting process would greatly increase the raw data available for analysis.

What is most significant, though, is the number of times an attacker gains access and takes control of a machine remotely. "For the most part, you have no clue," either about when or how often this actually is occurring, said Alan Paller director of research at the SANS Institute.

Rutrell Yasin contributed to this article.

Featured

  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.