Agencies should expect new guidance this year from the Office of Management and Budget on how soon they should report data breaches to the Homeland Security Department.
DHS told the Government Accountability Office it sent a draft version of the document to the federal Chief Information Officer’s Council in December and expects to send it to OMB for consideration by March 31.
“Ultimately, DHS’s goal is to begin phasing in any new incident reporting protocol issued by OMB and to provide all departments and agencies with a sufficient grace period to ensure their incident reporting systems and procedures can be transitioned smoothly to the new system by Dec. 31, 2014,” DHS wrote in a response to a new GAO report looking into agency data breaches.
GAO: One-hour rule of little value
GAO found OMB’s requirement to submit information about data breaches to the DHS U.S. Computer Emergency Readiness Team (US-CERT) within an hour after discovering the breach is of little value.
“Officials at agencies and US-CERT generally agreed that the current requirement that PII-related incidents be reported within one hour may be difficult to meet and may not provide US-CERT with the best information,” auditors wrote. “Specifically, officials at the Army, FDIC, FRB, FRTIB, and SEC indicated that it was difficult to prepare a meaningful report on a PII incident to US-CERT within the one-hour time frame required by OMB. The officials stated that meaningful information on an incident is often not available in that time frame, and reporting an incident to US-CERT without all relevant details would likely be of limited value. While VA officials stated that most of their incidents are reported in less than an hour, they do not believe the time frame is consistent with other US-CERT reporting guidelines and that the majority of the incidents would more appropriately be reported on a weekly basis.”
US-CERT told GAO that the one-hour time frame doesn’t give a clear picture of the reported incident and the information isn’t used to help remediate incidents or provide technical support to agencies.
“Further, US-CERT’s Chief of Performance Metrics confirmed that the vast majority of PII-related data breaches are not cybersecurity-related,” the report stated. “Specifically, the official estimated that seven of every eight reported breaches do not involve attacks on or threats to government systems or networks. The chief said that receiving information on such incidents on an individual basis is not useful to the office in pursuing its mission and that the office can take little action on the information collected about these incidents, other than to report it in aggregate form to OMB.”
Additionally, OMB staff said that they were unaware of the rationale for the one- hour time frame, other than a general concern that agencies report PII incidents promptly.
“The staff stated that OMB previously considered revising the PII reporting guidelines but that no action had been taken,” the report stated. “Until a more reasonable time frame is established that facilitates full reporting of meaningful information, much of the PII data breach information that US-CERT collects may be of limited value in understanding PII data breaches in government agencies.”
GAO recommends OMB revise guidelines
GAO recommended OMB revise the guidance on reporting data breaches to “better reflect the needs of individual agencies and the government as a whole and consolidated reporting of incidents that pose limited risk.”
OMB established the one-hour time frame in the wake of the Veterans Affairs Department’s loss of the data of 26 million veterans in 2006. The White House issued an executive order and OMB issued three related memos over the next 18 months.
GAO also found agencies inconsistently applied other parts of OMB’s memos around data breaches. It examined eight agencies, both large and small, and determined each had shortcomings in how they implement breach response policies and procedures.
Auditors made 22 total recommendations, both at the governmentwide level and specifically for the eight agencies GAO reviewed.
Sen. Tom Carper (D-Del.), chairman of the Homeland Security and Governmental Affairs Committee, said in a statement he will reintroduce legislation that would require businesses and agencies to respond more swiftly to data breaches. Carper introduced the Data Security Act of 2011 — the fourth time he’s brought such a bill to the Senate.
“As Americans take greater advantage of innovations that encourage us to communicate and do business online, it is imperative that we do not let technology out-pace our ability to protect sensitive information and prevent high-risk data breaches,” Carper said in a statement. “We also need to ensure that there are effective policies in place in both the public and private sector that are consistently utilized to protect consumers in the unfortunate event of a data breach. While the Government Accountability Office found that federal agencies do have notification plans in place, it is imperative that agencies heed GAO’s warnings and implement these policies in a more robust and consistent fashion. Furthermore, the Office of Management and Budget needs to ensure that it is updating its guidance and conducting adequate oversight of agencies’ implementation. It’s also critical that agencies utilize all of the tools and resources at their disposal to prevent a data breach from happening in the first place, such as the cybersecurity resources at the Department of Homeland Security.”