12:45 PM

White House Tightens Breach Rules For Federal Agencies

Government agencies must now alert US-CERT within an hour of any actual or suspected data breach involving personal information. But Gartner analysts say while the rule is a good PR move, it's too murky to be effective.

The White House set new rules last week that require government agencies to alert US-CERT within an hour of any data breach involving personal information. Tuesday, research firm Gartner said the directives were good PR, but too vague to be effective.

Last Wednesday, the Office of Management and Budget (OMB) sent a memorandum to the chief information officers of all federal agencies telling them that they must report any data breach to US-CERT within 60 minutes of discovery. US-CERT, which is part of the Department of Homeland Defense, is the federal information security clearinghouse and watchdog.

"You should not distinguish between suspected and confirmed breaches," the memo continued.

In turn, US-CERT is then to forward any such report to the "appropriate Identity Theft Task Force point-of-contact" within an hour of being notified.

Gartner analysts John Pescatore and Jay Heiser were unimpressed.

"[We] believe that the new OMB memorandum is primarily a public-relations response to recent high-profile security incidents," wrote Pescatore and Heiser in an online research note. "Nevertheless, we think it represents a positive change."

They noted that the notification timing shift meant events which may have gone unreported to US-CERT for up to a week must now be forwarded much faster. "An improper-usage incident — such as the detection of sensitive personal information on a home computer or other unsupported device — must now be reported within one hour," Pescatore and Heiser continued. "This will reduce the possibility that such incidents will be reported in the news media before being formally reported by the relevant government agency."

Even so, the existing definition of "improper-usage" is too murky, said the Gartner analysts, and in the long run, faster reporting won't do any good unless the government's security response is drastically improved.

Also on Tuesday, another arm of the OMB issued a memo to all departments and agencies spelling out new information they must provide to Congress under the Federal Information Security Management Act of 2002. Data collected under FISMA is used to generate scorecards on each agency's information security practices.

The most recent report card slapped the federal government as a whole with a D+ grade.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of June 21, 2015.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.