Federal Incident Reporting Guidelines

A computer incident within the federal government as defined by NIST Special Publication 800-61 is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.

Reports of computer incidents should include a description of the incident or event, using the appropriate taxonomy, and as much of the following information as possible; however, reporting should not be delayed in order to gain additional information:

All incident response teams should utilize this schema when reporting incidents to the US-CERT. Depending on the criticality of the incident, it is not always feasible to gather all the information prior to reporting. In this case, incident response teams should continue to report information as it is collected.

Federal Agency Incident Categories

In order to clearly communicate incidents and events (any observable occurrence in a network or system) throughout the Federal Government and supported organizations, it is necessary for the government incident response teams to adopt a common set of terms and relationships between those terms. All elements of the federal government should use a common taxonomy.

Below please find a high level set of concepts and descriptions to enable improved communications among and between agencies. The taxonomy below does not replace discipline (technical, operational, intelligence) that needs to occur to defend federal agency computers/networks, but provides a common platform to execute the US-CERT mission. US-CERT and the federal civilian agencies are to utilize the following incident and event categories and reporting timeframe criteria as the federal agency reporting taxonomy.

Federal Agency Incident Categories

Category Name Description Reporting Timeframe
CAT 0 Exercise/Network Defense Testing This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses. Not Applicable; this category is for each agency's internal use during exercises.
CAT 1 Unauthorized Access In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource Within one (1) hour of discovery/detection.
CAT 2 Denial of Service (DoS) An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. Within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity.
CAT 3 Malicious Code Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software. Daily
Note: Within one (1) hour of discovery/detection if widespread across agency.
CAT 4 Improper Usage A person violates acceptable computing use policies. Weekly
CAT 5 Scans/Probes/Attempted Access This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. Monthly
Note: If system is classified, report within one (1) hour of discovery.
CAT 6 Investigation Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review. Not Applicable; this category is for each agency's use to categorize a potential incident that is currently being investigated.