JC3 Incident Reporting Procedures
U.S. Department of Energy Facilities/Contractors Only
DOE O 205.1-B Chg 2 4.(c)(13) DEPARTMENT OF ENERGY CYBER SECURITY PROGRAM requires a defined "process for incident reporting that requires all cyber security incidents involving information or information systems, including privacy breaches, under DOE or DOE contractor control must be identified, mitigated, categorized, and reported to the Joint Cybersecurity Coordination Center (JC3) in accordance with JC3 procedures and guidance." This document outlines the referenced JC3 reporting procedures and guidance to facilitate your reporting and JC3's response activity. JC3 should be informed of all reportable cyber security incidents as specified below. JC3 will work with your site management to determine the severity or significance of any cyber security incident.
For PII clarification for reporting, contact the Chief Privacy Officer.
Reportable Cyber Security Incidents
All DOE organizations will include cyber security incident reporting proceedures in their Cyber Security Program Plans (CSPPs) or similar documents for classified systems. DOE organizations will report cyber security related incidents that are significant or unusually persistent.
- Malicious Code: All instances (successful & attempted) of infection by malicious code, (viruses, trojan horses, worms) must be reported.
- Loss, Theft, or Missing: All lost, stolen, or missing laptop computers and IT resources (including media containing Sensitive Unclassified Information or national security information) must be reported.
- PII: Personally Identifiable Information (PII) is information collected or maintained by the Department about an individual, including but not limited to, education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual’s identity, such as his/her name, Social Security number, date and place of birth, mother’s maiden name, biometric data, and any other personal information linked or linkable to a specific individual.
- Phishing: The attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) for malicious reasons, by masquerading as trustworthy in an electronic communication.
- Attempted Intrusion: An attempted intrusion is an exploit that stands out above the daily activity or noise level, as determined by the system owner, and would result in unauthorized access (compromise) if the system were not protected.
- Classified Spillage: Transfer of classified or sensitive information to unaccredited or unauthorized systems, individual’s applications, or media. Spillage may result from improper handling of compartments, releasability controls, privacy data, or proprietary information.
- Denial of Service: Intentional or unintentional denial of service (successful or persistent attempts) that affects or threatens to affect a critical service or denies access to all or one or more large portions of a network must be reported. Critical services are determined using Business Impact Analyses in the Contingency Planning process.
- Unauthorized Use. Any activity that adversely affects an information system's normal, baseline performance and/or is not recognized as being related to a Senior DOE Management missionmust be reported. Unauthorized use includes, but is not limited to, port scanning that excessively degrades performance, IP (Internet protocol) spoofing, network reconnaissance, monitoring, hacking into DOE servers and other non-DOE servers, running traffic-generating applications that ignite unnecessary network broadcast storms or drive large amounts of traffic to DOE computers, illegal use of software images, applications, data, and music. Unauthorized use can involve using DOE systems to break the law.
- HIGH - Organization has lost the ability to provide all critical services to all system users.
- MEDIUM - Organization has lost the ability to provide a critical service to a subset of system users.
- LOW - Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance.
- NONE - Organization has experienced no loss in ability to provide all services to all users.
- CLASSIFIED -The confidentiality of classified information was compromised.
- PROPRIETARY - The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised.
- PRIVACY - The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised.
- INTEGRITY - Information was modified without authorization.
- REGULAR - Predictable recovery time with existing resources.
- SUPPLEMENTED - Time to recovery is predictable with additional resources.
- EXTENDED - Time to recovery is unpredictable; additional resources and outside help are needed.
- NOT RECOVERABLE - Recovery from the incident is not possible (e.g., sensitive data exfiltrated and posted publicly).
- NOT APPLICABLE - Incident does not require recovery.
- NONE - No information was exfiltrated, modified, deleted, or otherwise compromised.
Completing Incident Notifications
Complete Incident Notifications within an hour of detection and maintain all records. Incident management processes and procedures are included in Contingency Plan testing and integrated with Personally Identifiable Information incident reporting, Information Condition (INFOCON) processes and procedures, and each information system Contingency Plan.
- When a cyber security incident has occurred or is suspected to have occurred (potential incident), immediately document the facts and circumstances surrounding the event.
- Once it is determined that an incident has occurred, the incident must be categorized according to the impact classifications, and reported to JC3 within one hour. The initial investigation is completed within 24 hours.
- Evaluations of incidents and potential incidents must be documented and local files retained.
Incident Reporting Procedures
Report cyber security incidents using the web-based incident submission form located at https://tickets.jc3.doe.gov.
Incidents Requiring Immediate Attention
For priority handling, contact the JC3 Call Center at 866-941-2472, where an analyst is available 24 hours a day, year-round. Please restrict after-hours calls to emergencies only.
Incidents Involving Classified Computer Systems
If the incident involves a classified system, call the JC3 Hotline 866-941-2472 and request a callback on the JC3's STU. If you are not near a STU, call the JC3 Hotline with a STU number and a time to return your call. Please note this does not apply to incidents that involve "leaking" of classified material onto an unclassified system.
Incident Report Content
When reporting cyber-related incidents to JC3, provide detailed information, including:
- How the incident occurred
- What occurred
- Preventive measures implemented
JC3 understands that detailed information is not always available; however, any details you can provide will help. If you have resolved the incident yourself, your report and analysis is still valuable to JC3. Your information further assists JC3 to analyze the DOE corporate threat and provide guidance to DOE and the NNSA.