White House Tightens Breach Rules For Federal Agencies
Government agencies must now alert US-CERT within an hour of any actual or suspected data breach involving personal information. But Gartner analysts say while the rule is a good PR move, it's too murky to be effective.
The White House set new rules last week that require government agencies to alert US-CERT within an hour of any data breach involving personal information. Tuesday, research firm Gartner said the directives were good PR, but too vague to be effective.
Last Wednesday, the Office of Management and Budget (OMB) sent a memorandum to the chief information officers of all federal agencies telling them that they must report any data breach to US-CERT within 60 minutes of discovery. US-CERT, which is part of the Department of Homeland Defense, is the federal information security clearinghouse and watchdog.
"You should not distinguish between suspected and confirmed breaches," the memo continued.
In turn, US-CERT is then to forward any such report to the "appropriate Identity Theft Task Force point-of-contact" within an hour of being notified.
Gartner analysts John Pescatore and Jay Heiser were unimpressed.
"[We] believe that the new OMB memorandum is primarily a public-relations response to recent high-profile security incidents," wrote Pescatore and Heiser in an online research note. "Nevertheless, we think it represents a positive change."
They noted that the notification timing shift meant events which may have gone unreported to US-CERT for up to a week must now be forwarded much faster. "An improper-usage incident — such as the detection of sensitive personal information on a home computer or other unsupported device — must now be reported within one hour," Pescatore and Heiser continued. "This will reduce the possibility that such incidents will be reported in the news media before being formally reported by the relevant government agency."
Even so, the existing definition of "improper-usage" is too murky, said the Gartner analysts, and in the long run, faster reporting won't do any good unless the government's security response is drastically improved.
Also on Tuesday, another arm of the OMB issued a memo to all departments and agencies spelling out new information they must provide to Congress under the Federal Information Security Management Act of 2002. Data collected under FISMA is used to generate scorecards on each agency's information security practices.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.