White House Tightens Breach Rules For Federal Agencies
Government agencies must now alert US-CERT within an hour of any actual or suspected data breach involving personal information. But Gartner analysts say while the rule is a good PR move, it's too murky to be effective.
The White House set new rules last week that require government agencies to alert US-CERT within an hour of any data breach involving personal information. Tuesday, research firm Gartner said the directives were good PR, but too vague to be effective.
Last Wednesday, the Office of Management and Budget (OMB) sent a memorandum to the chief information officers of all federal agencies telling them that they must report any data breach to US-CERT within 60 minutes of discovery. US-CERT, which is part of the Department of Homeland Defense, is the federal information security clearinghouse and watchdog.
"You should not distinguish between suspected and confirmed breaches," the memo continued.
In turn, US-CERT is then to forward any such report to the "appropriate Identity Theft Task Force point-of-contact" within an hour of being notified.
Gartner analysts John Pescatore and Jay Heiser were unimpressed.
"[We] believe that the new OMB memorandum is primarily a public-relations response to recent high-profile security incidents," wrote Pescatore and Heiser in an online research note. "Nevertheless, we think it represents a positive change."
They noted that the notification timing shift meant events which may have gone unreported to US-CERT for up to a week must now be forwarded much faster. "An improper-usage incident — such as the detection of sensitive personal information on a home computer or other unsupported device — must now be reported within one hour," Pescatore and Heiser continued. "This will reduce the possibility that such incidents will be reported in the news media before being formally reported by the relevant government agency."
Even so, the existing definition of "improper-usage" is too murky, said the Gartner analysts, and in the long run, faster reporting won't do any good unless the government's security response is drastically improved.
Also on Tuesday, another arm of the OMB issued a memo to all departments and agencies spelling out new information they must provide to Congress under the Federal Information Security Management Act of 2002. Data collected under FISMA is used to generate scorecards on each agency's information security practices.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.