JC3 Incident Reporting Procedures
U.S. Department of Energy Facilities/Contractors Only
DOE O 205.1-B Chg 2 4.(c)(13) DEPARTMENT OF ENERGY CYBER SECURITY PROGRAM requires a defined "process for incident reporting that requires all cyber security incidents involving information or information systems, including privacy breaches, under DOE or DOE contractor control must be identified, mitigated, categorized, and reported to the Joint Cybersecurity Coordination Center (JC3) in accordance with JC3 procedures and guidance." This document outlines the referenced JC3 reporting procedures and guidance to facilitate your reporting and CIRC's response activity. CIRC should be informed of all reportable cyber security incidents as specified below. CIRC will work with your site management to determine the severity or significance of any cyber security incident.
For PII clarification for reporting, contact the Chief Privacy Officer.
Reportable Cyber Security Incidents
All DOE organizations will develop and document procedures for reporting cyber security incidents in their Cyber Security Program Plans (CSPPs) or similar documents for classified systems. DOE organizations will report cyber security related incidents that are significant or unusually persistent and meet one or more of the following criteria:
1.) Characterize and Categorize Cyber Security Incidents
Characterize and categorize cyber security incidents according to their potential to cause damage to information and information systems based on two criteria: Incident Type and Security Category. These criteria are used to determine the time frame for reporting incidents to the CIRC.
Type 1 incidents are successful incidents that potentially create serious breaches of DOE cyber security or have the potential to generate negative media interest. The following are defined as Type 1 incidents.
- System Compromise/Intrusion. All unintentional or intentional instances of system compromise or intrusion by unauthorized persons must be reported, including user-level compromises, root (administrator) compromises, and instances in which users exceed privilege levels.
- Loss, Theft, or Missing. All instances of the loss of, theft of, or missing laptop computers; and all instances of the loss of, theft of, or missing IT resources, including media, that contained Sensitive Unclassified Information (SUI) or national security information.
- Web Site Defacement. All instances of a defaced Web site must be reported.
- Malicious Code. All instances of successful infection or persistent attempts at infection by malicious code, such as viruses, Trojan horses, or worms, must be reported.
- Denial of Service. Intentional or unintentional denial of service (successful or persistent attempts) that affects or threatens to affect a critical service or denies access to all or one or more large portions of a network must be reported. Critical services are determined through Business Impact Analyses in the Contingency Planning process.
- Critical Infrastructure Protection (CIP). Any activity that adversely affects an asset identified as critical infrastructure must be reported. CIP assets are identified through the Contingency Planning process.
- Unauthorized Use. Any activity that adversely affects an information systems normal, baseline performance and/or is not recognized as being related to Senior DOE Management mission is to be reported. Unauthorized use includes, but is not limited to, port scanning that excessively degrades performance; IP (Internet protocol) spoofing; network reconnaissance; monitoring; hacking into DOE servers and other non-DOE servers; running traffic-generating applications that generate unnecessary network broadcast storms or drive large amounts of traffic to DOE computers; or using illegal (or misusing copyrighted) software images, applications, data, and music. Unauthorized use can involve using DOE systems to break the law.
- Information Compromise. Any unauthorized disclosure of information that is released from control to entities that do not require the information to accomplish an official Government function such as may occur due to inadequate clearing, purging, or destruction of media and related equipment or transmitting information to an unauthorized entity.
Type 2 incidents are attempted incidents that pose potential long-term threats to DOE cyber security interests or that may degrade the overall effectiveness of the Department’s cyber security posture. The following are the currently defined Type 2 incidents.
- Attempted Intrusion. A significant and/or persistent attempted intrusion is an exploit that stands out above the daily activity or noise level, as determined by the system owner, and would result in unauthorized access (compromise) if the system were not protected.
- Reconnaissance Activity. Persistent surveillance and resource mapping probes and scans are those that stand out above the daily activity or noise level and represent activity that is designed to collect information about vulnerabilities in a network and to map network resources and available services. The Senior DOE Management PCSP must document the parameters for collecting and reporting data on surveillance probes and scans.
Security categories characterize the potential impact of incidents that compromise DOE information and information systems. Such incidents may impact DOE operations, assets, individuals, mission, or reputation. Security categories identify the level of sensitivity and criticality of information and information systems by assessing the impact of the loss of confidentiality, integrity, and availability. Each of the security objectives confidentiality, integrity, and availability is assessed in the following manner:
- Low Security Category. Loss of system confidentiality, integrity, or availability could be expected to have a limited adverse effect on DOE operations, assets, or individuals, including loss of secondary mission capability, requiring minor corrective actions or repairs.
- Moderate Security Category. Loss of system confidentiality, integrity, or availability could be expected to have a serious adverse effect on DOE operations, assets, or individuals, including significant degradation, non-life threatening bodily harm, loss of privacy, or major damage, requiring extensive corrective actions or repairs.
- High Security Category. Loss of system confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on DOE operations, assets, or individuals. The incident could pose a threat to human life, cause the loss of mission capability, or result in the loss of major assets.
2.) Complete Incident Reports
Complete Incident Reports in a timely manner, and maintain all records. Incident management processes and procedures are included in Contingency Plan testing and integrated with Personally Identifiable Information incident reporting, Information Condition (INFOCON) processes and procedures, and each information system Contingency Plan.
- When a cyber security incident has occurred or is suspected to have occurred (potential incident), the affected site will immediately examine and document the pertinent facts and circumstances surrounding the event.
- The initial investigation of an event is completed within 24 hours. If the initial investigation of a potential incident cannot be completed within 24 hours, an initial report must be made within 26 hours. Once it is determined that an incident has occurred, the incident must be categorized according to Incident Type and Security Category, analyzed for impact to Senior DOE Management operations, and reported to CIRC within the time frames indicated in Table 1, in accordance with the process established in the applicable PCSP.
- All potential incident evaluations and incidents must be documented and local files retained.
- A monthly report on the status of incident resolution is to be required from all operating units whether or not any reportable successful or attempted cyber security incidents have occurred during the previous month.
Within 4 hours
Within 2 hours
Within 1 hour
Within 1 week
Within 48 hours
Within 24 hours
Required Time Frame for Reporting Cyber Security Incidents
Requirements for Reporting of Cyber Security Incidents Involving Personally Identifiable Information (PII). Senior DOE Management PCSPs are to direct operating units to develop, document, and implement policies and procedures for reporting incidents involving PII, in accordance with the following criteria.
- Establish, document, and implement procedures for reporting cyber security incidents related to PII in accordance with the processes and time frames outlined in this Guidance.
- Develop processes to notify the Information Owner once it has been determined that confidentiality of PII has been compromised.
- Ensure that all suspected or confirmed cyber security incidents involving media containing PII (including the physical loss/theft of computing devices) are reported to the DOE Cyber Incident Response Capability (CIRC) within 45 minutes of discovery. CIRC will report to the US-Computer Emergency Readiness Team (US-CERT) in accordance with its procedures.
- When reporting possible cyber security incidents involving PII, there should be sufficient reason to believe that a security breech has occurred and that PII is likely to have been involved. Otherwise, the incident should be reported following documented procedures for reporting all cyber security incidents.
- Reports to CIRC should be made via the AWARE portal, or alternatively by email to firstname.lastname@example.org, phone to 866-941-2472, or fax to 702-932-0189.
Incident Reporting Procedures
Incidents involving unclassified computer systems
Report cyber security incidents involving unclassified systems as listed below. CIRC encourages sites to utilize the flexibility offered by e-mail whenever possible.
Send e-mail describing the cyber security incident to email@example.com. Alternatively, call the hotline at 866-941-2472, or fax information to 702-932-0189.
Incidents Requiring Immediate Attention
If the cyber security incident requires priority handling, use the phrase "URGENT" in the e-mail subject line and an analyst will contact you. You can also call the hotline at 866-941-2472, where an analyst will man the phone 24x7x365. Please restrict the non-business hours use of the incident hotline to only emergency situations.
Information about unclassified cyber security incidents of a sensitive nature should be sent protected with encrypted e-mail. To facilitate this process, supply CIRC with your public encryption key, either Entrust or PGP. Contact CIRC for guidance on how to transmit information securely if encrypted means are not available.
Automated Scan Detection and Reporting
Some sites are utilizing automated methods for both detecting and reporting scans and probes. This provides CIRC with valuable data without undue burden on the site. If you are interested in using an automated tool, send e-mail to firstname.lastname@example.org.
Incidents Involving Classified Computer Systems
If the cyber security incident involves a classified system, call the CIRC Hotline 866-941-2472 and request a callback on the CIRC's STU. If you are not near a STU, call the CIRC Hotline with a STU number and a time to return your call. Please note these are not incidents that involve the "leaking" of classified material onto an unclassified system.
Incident Report Content
CIRC is available to all sites that need assistance in cyber security incident handling and gathering of incident information. In reporting cyber-related incidents to CIRC, provide as much detailed information as possible about how the incident occurred, what occurred, its impact, and what preventive measures have been implemented. Supply any log file information from the compromised system(s), routers, and/or firewalls in the communication path. CIRC will analyze this information and provide a detailed report regarding each unauthorized compromise.
CIRC understands that this information is not always readily available; however, any details you can provide will help with our analysis. Even if you have resolved the incident yourself, your report and analysis is valuable to CIRC in comparing this incident with those reported by other sites. It further assists CIRC in analyzing the DOE corporate threat and providing DOE and the NNSA with guidance. In assessing the significance and reporting of such cyber security incidents, the reporting organization must consider the following questions:
- Determine responsible party's identification, usually IP address(es) or host name(s).
- Does the compromise involve a country on the DOE Sensitive Country List?
- What type of information was the compromised system processing (classified or unclassified -- OUO, UCNI, NNPI, Export Controlled)?
- What service did the system provide (DNS, key asset servers, firewall, VPN gateways, IDS)?
- What level of access did the intruder gain?
- What hacking tools and/or techniques were used?
- What did the intruder delete, modify, or steal?
- What unauthorized data collection programs, such as sniffers, were installed?
- What was the impact of the attack?
- What preventative measures have been (are being) implemented?
- When was the cyber security incident detected?
- When did the cyber security incident actually occur?
- How was access gained?
- What vulnerability was exploited?
- How was the incident detected?
Incident Reporting Form
For your convenience, please contact us for the Word documents to report an incident.
Negative Reporting is a requirement for all DOE/NNSA sites and is effective per the Department of Energy memorandum concerning Cyber Security Incident Reporting. To address this, CIRC prefers to receive sites' negative reporting through e-mail. Please contact CIRC at email@example.com to work out any issues with this.
These instructions apply if your site has no incidents to report for the month. To indicate there have been no incidents for a given month at your site, please send an e-mail to firstname.lastname@example.org. The e-mail should contain the following:
In the Subject line, please type: CIRC NEGATIVE REPORT
In the body of the message, please type the following (including the sentence "No incidents to report"):
Your Name = your name
This information is necessary for CIRC to verify or track multiple reports from sites. Your name should include First name and Last name in that order. (Example: John Doe)
Job Title(s) - Optional = your title(s)
Optional: Your job title describes your responsibilities especially in regard to incident reporting. For example, do you have a security specific job title, such as ISSM or CPPM for a site, or if no security title, please indicate any computer related title, such as Network Manager or Systems Administrator. (Example: ISSM, Network Security Lead)
Site = your site's acronym
CIRC prefers the acronyms for sites, such as BNL or LANL, but if you are unsure of an acronym, please provide the whole name. (Example: DOE-HQ)
Reporting Month = the 3-letter abbreviation for the month you are reporting
This is the month for which you are providing a negative report. A month is from the 1st day through the last day of that month. 3 letter abbreviations are preferred (Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec).
"No incidents to report"
This phrase should show up in the body exactly as shown.