Page 1 of 8
US-CERT Federal Incident Notification Guidelines
This document provides guidance to Federal Government departments and agencies (D/As); state, local,
tribal, and territorial government entities; Information Sharing and Analysis Organizations; and foreign,
commercial, and private-sector organizations for submitting incident notifications to the National
Cybersecurity and Communications Integration Center (NCCIC)/United States Computer Emergency
Readiness Team (US-CERT).
The Federal Information Security Modernization Act of 2014 (FISMA) defines “incident” as “an
occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity,
confidentiality, or availability of information or an information system; or (B) constitutes a violation or
imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”
1
FISMA requires federal Executive Branch civilian agencies to notify and consult with US-CERT
regarding information security incidents involving their information and information systems, whether
managed by a federal agency, contractor, or other source
2
. This includes incidents involving control
systems, which include supervisory control and data acquisition (SCADA) systems, distributed control
systems (DCS), programmable logic controllers (PLCs) and other types of industrial measurement and
control systems. Reporting by entities other than federal Executive Branch civilian agencies is voluntary.
These guidelines support US-CERT in executing its mission objectives and provide the following
benefits:
• Greater quality of information – Alignment with incident reporting and handling guidance from
NIST 800-61 Revision 2 to introduce functional, informational, and recoverability impact
classifications, allowing US-CERT to better recognize significant incidents.
• I
mproved information sharing and situational awareness – Establishing a one-hour notification
time frame for all incidents to improve US-CERT’s ability to understand cybersecurity events
affecting the government.
• Faster incident response times – Moving cause analysis to the closing phase of the incident
handling process to expedite initial notification.
Notification Requirement
Agencies must report information security incidents, where the confidentiality, integrity, or availability of
a federal information system of a civilian, Executive Branch agency is potentially compromised, to the
NCCIC/US-CERT with the required data elements, as well as any other available information, within one
hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT),
Security Operations Center (SOC), or information technology department. In some cases, it may not be
feasible to have complete and validated information for the section below (Submitting Incident
Notifications) prior to reporting. Agencies should provide their best estimate at the time of notification
and report updated information as it becomes available. Events that have been found by the reporting
1
See 44 U.S.C. § 3552(b)(2). FISMA also uses the terms “security incident” and “information security incident” in
place of incident.
2
See 44 U.S.C. §§ 3553-54. US-CERT serves as the federal incident response center.