Federal Incident Reporting Guidelines
A computer incident within the federal government as defined by NIST Special Publication 800-61 is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.
Reports of computer incidents should include a description of the incident or event, using the appropriate taxonomy, and as much of the following information as possible; however, reporting should not be delayed in order to gain additional information:
- Agency name
- Point of contact information including name, telephone, and email address
- Incident Category Type (e.g., CAT 1, CAT 2, etc., see table)
- Incident date and time, including time zone
- Source IP, port, and protocol
- Destination IP, port, and protocol
- Operating System, including version, patches, etc.
- System Function (e.g., DNS/web server, workstation, etc.)
- Antivirus software installed, including version, and latest updates
- Location of the system(s) involved in the incident (e.g., Washington DC, Los Angeles, CA)
- Method used to identify the incident (e.g., IDS, audit log analysis, system administrator)
- Impact to agency
- Resolution
All incident response teams should utilize this schema when reporting incidents to the US-CERT. Depending on the criticality of the incident, it is not always feasible to gather all the information prior to reporting. In this case, incident response teams should continue to report information as it is collected.
Federal Agency Incident Categories
In order to clearly communicate incidents and events (any observable occurrence in a network or system) throughout the Federal Government and supported organizations, it is necessary for the government incident response teams to adopt a common set of terms and relationships between those terms. All elements of the federal government should use a common taxonomy.
Below please find a high level set of concepts and descriptions to enable improved communications among and between agencies. The taxonomy below does not replace discipline (technical, operational, intelligence) that needs to occur to defend federal agency computers/networks, but provides a common platform to execute the US-CERT mission. US-CERT and the federal civilian agencies are to utilize the following incident and event categories and reporting timeframe criteria as the federal agency reporting taxonomy.
Federal Agency Incident Categories
| Category | Name | Description | Reporting Timeframe |
|---|---|---|---|
| CAT 0 | Exercise/Network Defense Testing | This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses. | Not Applicable; this category is for each agency's internal use during exercises. |
| CAT 1 | Unauthorized Access | In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource | Within one (1) hour of discovery/detection. |
| CAT 2 | Denial of Service (DoS) | An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. | Within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity. |
| CAT 3 | Malicious Code | Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software. | Daily Note: Within one (1) hour of discovery/detection if widespread across agency. |
| CAT 4 | Improper Usage | A person violates acceptable computing use policies. | Weekly |
| CAT 5 | Scans/Probes/Attempted Access | This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. | Monthly Note: If system is classified, report within one (1) hour of discovery. |
| CAT 6 | Investigation | Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review. | Not Applicable; this category is for each agency's use to categorize a potential incident that is currently being investigated. |