Federal Incident Reporting Guidelines

See new federal incident notification guidelines. All D/As were permitted to continue reporting incidents using the below guidelines until September 30, 2015. 

A computer incident within the Federal Government as defined by NIST Special Publication 800-61 Revision 2 is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.

Reports of computer incidents should include a description of the incident or event, using the appropriate taxonomy, and as much of the following information as possible; however, reporting should not be delayed to gain additional information:

  • Agency name
  • Point of contact information including name, telephone, and email address
  • Incident Category Type (e.g., CAT 1, CAT 2, etc., see table)
  • Incident date and time, including time zone
  • Source IP, port, and protocol
  • Destination IP, port, and protocol
  • Operating System, including version, patches, etc.
  • System Function (e.g., DNS/web server, workstation, etc.)
  • Antivirus software installed, including version, and latest updates
  • Location of the system(s) involved in the incident (e.g., Washington DC, Los Angeles, CA)
  • Method used to identify the incident (e.g., IDS, audit log analysis, system administrator)
  • Impact to agency
  • Resolution

All incident response teams should utilize this schema when reporting incidents to the National Cybersecurity and Communications Integration Center (NCCIC). NCCIC serves as the central reporting point for all federal information security incidents, required by FISMA, and designated in OMB M06-19 (available from whitehouse.gov). Depending on the criticality of the incident, it is not always feasible to gather all the information prior to reporting. In this case, incident response teams should continue to report information as it is collected.

Federal Agency Incident Categories

To clearly communicate incidents and events (any observable occurrence in a network or system) throughout the Federal Government and supported organizations, it is necessary for the government incident response teams to adopt a common set of terms and relationships between those terms. All elements of the Federal Government should use a common taxonomy.

Below please find a high level set of concepts and descriptions to enable improved communications among and between agencies. The taxonomy below does not replace discipline (technical, operational, intelligence) that needs to occur to defend federal agency computers/networks, but provides a common platform to execute the NCCIC mission. NCCIC and the federal civilian agencies are to utilize the following incident and event categories and reporting timeframe criteria as the federal agency reporting taxonomy.

Federal Agency Incident Categories

CategoryNameDescriptionReporting Timeframe
CAT 0Exercise/Network Defense TestingThis category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses.Not Applicable; this category is for each agency's internal use during exercises.
CAT 1Unauthorized AccessIn this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resourceWithin one (1) hour of discovery/detection.
CAT 2Denial of Service (DoS)An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS.Within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity.
CAT 3Malicious CodeSuccessful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software.Daily
Note: Within one (1) hour of discovery/detection if widespread across agency.
CAT 4Improper UsageA person violates acceptable computing use policies.Weekly
CAT 5Scans/Probes/Attempted AccessThis category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.Monthly
Note: If system is classified, report within one (1) hour of discovery.
CAT 6InvestigationUnconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.Not Applicable; this category is for each agency's use to categorize a potential incident that is currently being investigated.