CHAPTER 1 - PART 1

INCIDENT RESPONSE PROCEDURES

1 BACKGROUND

Networks and information technology (IT) resources are continually vulnerable to illegal/malicious activity or exploitation by internal and external sources. Cyber Security(CS) incident handling is an important and required component of USDA’s CS program. CS related threats can exploit vulnerabilities in new or rapidly changing IT. The most common security threats are those that travel through and to networked systems. While it is impossible to eliminate all CS incidents, proactive incident prevention is a critical element of a mature incident management capability.

Preventative procedures such as patch management, firewalls, risk and vulnerability assessments and mitigation can reduce incidents. Not all incidents can be prevented. A flexible and adaptable incident response capability is a necessary part of managing network security threats. Damage to IT systems from a CS incident can occur in a short period. It is essential that all USDA organizations (agencies, staff offices, projects, mission areas, and contractor managed locations) have procedures in place that can be activated immediately. The inability of any USDA organization to recognize and promptly report incidents impacts and potentially compromises the information systems security program (ISSP) efforts of other USDA organizations and their customers.

The Federal Information Security Management Act (FISMA) of 2002 requires Federal agencies to establish incident response and handling capabilities. The law also requires USDA to report incidents to United States Computer Emergency Response Team (US-CERT) (formerly FedCIRC) in the Department of Homeland Security (DHS). Each Federal agency is required to designate a primary and secondary Point of Contact (POC) with US-CERT. The USDA US-CERT POC is located in OCIO CS. Each USDA agency, mission area and staff office is required to communicate with US-CERT through OCIO CS.

The need for an incident handling capability within USDA organizations that crosses agency boundaries has never been greater. This need will continue as long as those who exploit IT exist. Standard reporting and uniform operating procedures permit USDA and US-CERT to be better positioned for assessing risks, addressing vulnerabilities, reducing overall costs and meeting the security challenges of USDA’s information infrastructure.

2 POLICY

This chapter establishes the minimum policy and procedures for CS incident handling in USDA. A Department-wide incident handling and tracking capability will be supported and maintained by OCIO CS. Each agency is expected to establish, support and maintain their own internal policies, procedures or team to support prompt, effective and efficient resolution of CS incidents in accordance with the process outlined below. USDA organizations must acknowledge and respond to all CS incidents in accordance with the timeframes in the procedures below. A critical component of successful incident handling is a comprehensive knowledge and inventory of all Internet Protocol (IP) addresses that were delegated to agencies by Telecommunications Service Organization (TSO). Each USDA organization is also expected to control, allocate and maintain accurate electronic records of all assigned IP addresses as required by DR 3300 and assist with notification of emergency personnel. OCIO CS has documented its responsibilities and role to be the POC to US-CERT. OCIO CS will be responsible for notifying OIG and US-CERT of USDA incidents and their closure. US-CERT will acknowledge closure of incidents assigned their tracking number. All USDA organizations will ensure that all incident procedures are followed and that incident reporting is accomplished by the ISSPM through OCIO CS for all OCIO CS assigned incidents, even if they have their own incident response team (IRT). ISSPMs shall be responsible for certifying the accuracy of incident reports.

Policy Exception Requirements – There are no exceptions to the requirement that all agencies report incidents. However, USDA organizations that cannot comply with this policy are required to document shortcomings as formal policy exceptions. The CIO of the agency/staff office/mission area will submit all policy exception requests directly to the ACIO CS. Exceptions to policy will be considered only in terms of implementation timeframes; exceptions will not be granted to the requirement to conform to this policy. USDA organizations cannot wait until CS incidents occur or cannot be closed to request an exception to policy requirements. Exceptions that are approved will be interim in nature and will require that each agency report this Granted Policy Exception (GPE) as a Plan of Action & Milestones (POA&M) in their FISMA reporting, with a GPE notation, until full compliance is achieved. Interim exceptions expire with each fiscal year. Compliance exceptions that require longer durations must be submitted to the USDA CIO for approval and contain a convincing case for the extension with an updated timeline for completion. Any approved extensions must continue to be documented in the agency’s annual FISMA report and quarterly POA&Ms. OCIO CS will monitor all approved exceptions.

3 PROCEDURES

An incident is the act of violating an explicit or implied security policy. The types of activity that are widely recognized as being CS incidents are violations categorized as, but are not limited to, attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data, or changes to system hardware, firmware or software characteristics without the owner’s knowledge, instructions, and approval. The level of consequence of an incident refers to the relative impact it has on an organization. The types of impact include: loss of data; the loss or theft of information, IT resources, revenue or confidence in a USDA agency or mission area by the general public or customers; or a high level of damage that must be corrected prior to system restoration.

a In USDA, CS incidents shall be declared for the following reasons:

(1) Analysis of intrusion detection system (IDS) reports that are rated as High: Internal, or High: External, and show system compromises in the logs;

(2) Notification by US-CERT of a USDA IP or e-mail address being the cause or victim of malicious or questionable activity;

(3) Alert, notification, or warning from other U. S. Government agencies that USDA IP address(s) is the target or originator of malicious activity;

(4) Notification by the USDA OIG of a complaint that requires CS investigation or technical support;

(5) Complaints by an Internet Service Provider (ISP) that detail specific, prohibited activities by a USDA host, IP address or e-mail address;

(6) Complaints by organizations and companies that exist to ensure copyright protection. These include the Business Software Alliance (BSA), Software & Information Industry Association (SIIA), Recording Industry Association of America (RIAA), The Motion Picture Association of America (MPAA), and companies that monitor the Internet on behalf of movie, video, and music copyright holders;

(7) Floods of viruses, worms and Trojan Horses for which anti-malicious code/anti-virus software is not available. In attacks such as Code Red, Nimda, Slammer, and Blaster One, one USDA incident number will be assigned for the entire process;

(8) Complaints from the public, or other employees that include specific examples or references of inappropriate or illegal use by USDA employees, cooperators, partners or contractors utilizing USDA IT; and

(9) A self-discovery by a USDA organization that meets the

definition of an incident (i.e., virus discoveries, criminal actions, etc.)

Figure 1

b Cyber Security Incidents are to be declared when they are serious and considered major in nature. They are declared based on the

assessment of the gravity of the situation, sensitivity of information threatened or compromised and the potential for harm to USDA. Outlined below are criteria for the high-level incidents or medium and low events:

Figure 1

b CS incidents are to be declared when they are serious and considered major in nature. They are declared based on the

assessment of the gravity of the situation, sensitivity of information threatened or compromised and the potential for harm to USDA.

Outlined below are criteria for the CS incidents (High Level Events) or medium and low level events:

(1) Cyber Security (CS) incidents are High Level Events or US-CERT Priority Level 1 and 2 disruptions that are the most serious and considered ‘major’ in nature. Because of the gravity of the situation and the high potential for harm to USDA, these incidents should be handled immediately. USDA CS incidents include events, activities, and violations such as: possible life threatening activity, compromise of critical systems or information, root compromise, child pornography, pornographic trafficking, music/unauthorized software trafficking, any violation of law or agency specific policies or statute. Any activities that are not normally reported to US-CERT but are reported to OIG, Human Resources or law enforcement are defined as CS incidents and will be assigned an incident tracking number (ITN). These incidents will be handled using an accelerated and principals only/limited distribution CS incident response. If criminal proceedings are initiated, the USDA incident handler may not have a need-to- know further details.

Agency ISSPMs who have suspected or confirmed incidents in this category are to immediately report the severity and coordinate the incident response with the ACIO for CS or designate. If the incident remains open for more than 15 days, ACIO CS will send the agency CIO a one-time notification of open incident(s). Each USDA organization’s CIO will respond with corrective actions; a POA&M will also be initiated until incident(s) are closed.

CS incidents include:

Suspected computer or network break-In (of a USDA computer or by USDA computer);
USDA website defacements or compromises, including failure to take the website offline or deregister the URL when the website is no longer used or supported by USDA;
Successful DoS attacks by USDA computers or against USDA computers;
Computer Virus/Worms/Trojan Horses for which anti-virus software updates are not available or their deployment will be delayed (depending on impact to Agency/Department);
Detection of malware, including viruses, worms, Trojan Horses or spyware, caused by employees who have declined to bring laptops into the office for upgrades;
Connection of non-Government computers and servers to the USDA network without authorization or in violation of security policies;
Unauthorized use of a system for processing or storing non-USDA or prohibited data or information on USDA IT resources, including the establishment and operation of a private or personal business;
Changes to system hardware, firmware or software without the system owner’s authorization;

· Property destruction related to a CS incident (exceeding $100,000);

Personal theft related to a CS incident (exceeding $100,000);
Electronic file transfer (EFT) exploitation/manipulation or engaging in Phishing or Pharming;
Installation, use or sharing of Peer-To-Peer Software;
Activity including unauthorized or illegal serving out, downloading or sale of copyright material;
Child pornography;
Pornography;
On-Line gambling;
Attempts to circumvent access to any USDA blocked Web Sites such as pornography, gambling and hate crimes;
Download, use or sharing of copyright protection music or unauthorized software;
Misuse of Government property, facilities or services including accepting payment or services to provide access to or use of USDA IT resources in excess of one’s authority, such as forwarding spam, engaging in unofficial/unauthorized chat, non-USDA e-mail and instant messaging services; and
Any violation of law.

Other types of incidents are categorized as adverse CS events and shall not be declared CS incidents unless there is a confirmed compromise of sensitive information, a threat to USDA IT resources or subsequent escalation to a CS Incident.

(2) Medium level Cyber Security (CS) events are potentially serious and should be handled the same day the event occurs or notification of the event is made to USDA organization (normally in two to four hours of the event). These events can be reported to the agency ISSPM by OCIO CS (when detected in USDA/OCIO), the helpdesk, system administrator (SA) or incident handler(s) or incident response team (CSIRT).

These include:

· Adverse action resulting in employee termination

in which the Government computer is neither the tool or target of the action;

US-CERT priority level 3 activity;
IDS reports that define activity as medium;
Unauthorized use of a system for processing or storing USDA data;

· Property destruction related to a CS incident (less than $100,000);

Personal theft related to a CS incident (less than $100,000);
Misuse of Government property, facilities and services;

· Unconfirmed computer virus/worms (depending on impact to Agency/Department and if the infection is the result of a security policy violation); and

· Undocumented or unapproved vulnerability scans.

(3) Low level Cyber Security (CS) events are the least severe and should be investigated within three working days after the event occurs. These events can be reported to the agency ISSPM by OCIO CS (when detected in USDA), the helpdesk, SA or incident handler or incident response team (IRT).

Low level CS events include:

· Loss or compromise of a personal password;

· Suspected sharing of USDA accounts;

· Minor misuse of Government property, facilities and services;

· US-CERT Priority Level 4 Incident Reporting Guideline events;

· Unsuccessful scans/probes (internal & external); and

· Computer virus/worms (depending on impact to Agency/Department).

Agencies and staff offices shall not be required to report actions taken to mitigate adverse events unless requested or instructed to by ACIO CS.

c Incident Handling Phases – The incident handling process is

comprised of seven phases that compose an effective response to the overall incident. These phases are designed to ensure that no portion of the process is overlooked and consistency in incident handling is maintained. The steps in each phase are listed below:

Figure 2

(1) Incident Prevention – NIST Special Publication 800-61 reminds Federal agencies that keeping the number of incidents low is important to protect their business processes, mission and reputation. If security controls are insufficient or security policies are not enforced large numbers of incidents can occur with overwhelming consequences for the agency and USDA as an organization. In addition, to prevent incidents each agency and staff office must conduct and keep current risk assessments of systems and applications. These assessments should determine what risks, if any, the combinations of threats and vulnerabilities pose to those systems.

Incident Indications, Alerts & Warnings – OCIO CS will analyze suspected events, complaints and findings from a variety of sources and notify agencies of these occurrences. These sources include: the IDS, US-CERT, other Federal agencies, Federal Trade Commission, OIG, ISP, internal audit or assessment, and private copyright protection organizations. ACIO CS does not automatically declare those communications to be incidents. When OCIO CS and/ or TSO cannot adequately or promptly determine the accuracy of the indications, alerts and warnings by providing their own findings they will defer to the USDA organization to make a finding. When USDA organizations do not respond with a finding within 48 hours, ACIO CS will declare these to be a CS Incident.

(2) Incident Notification - Incident notification is a multi-stage process. Suspected events, complaints and incidents can occur anytime during a 24-hour period. For this reason, USDA has established an Incident Handling Program Manager in OCIO CS. The Incident Handling Program Manager will ensure that USDA organizational personnel are provided with notification of suspected intrusions and receive and document the suspected incident regardless of the source. Each USDA organization will ensure that OCIO CS has a current electronic list of Agency incident contacts in order to ensure that USDA organizations can be reached promptly to resolve incidents effectively. This list will include the agency ISSPM, Deputy ISSPM and the CIO. The ISSPM will be the individual who is responsible for the overall management and resolution of all suspected incidents in agencies and staff offices.

Each USDA organization will establish internal IRT to handle incident data, determine the impact of the incident and act appropriately to limit the damage to the organization and restore normal services. In OCIO, there is a coordinating team Led by OCIO CS staff who will act as the Incident Handling Program Manager. This coordinating team can elect to activate the “Ad Hoc IRT” from all areas of USDA, as required, to assist USDA organizations in responding to major incidents that threaten department resources. Outside resources often provide objectivity and can be helpful to the internal team under pressure to resolve the crisis. The primary role of the coordinating team is to provide guidance and advice to the agency internal IRT without having authority over the team. The agency ISSPM or Deputy ISSPM will notify the agency IRT when a suspected incident is reported by OCIO CS for response and action. Agencies can respond to these incidents using a team already established for this purpose or assign individuals based on the action needed in an ad hoc fashion. However, the designated team should be part of a centralized response by the agency to ensure that the process is consistent across the organization and information is shared at all layers rapidly and effectively.

(3) Incident Identification/Declaration – ACIO CS does not automatically declare findings to be incidents. However, USDA organizations must respond in 48 hours or ACIO CS will declare an incident. ACIO CS will need a finding or status report to prevent their declaration. When ACIO CS declares an incident, a USDA Incident Tracking Number (ITN) is assigned by which the department tracks and responds to requests for information concerning the incident. Agency internal IRTs may also assign their own internal number for tracking purposes. However, all reports must reference the USDA and US-CERT tracking number for reporting purposes. ACIO CS is still the departmental POC for all incidents and is responsible for providing notifications, status reports and close out recommendations to US-CERT, OIG and other oversight authorities. In addition, ACIO CS acts as the POC for notification of the CIO, responds to requests for status and to Secretarial inquires. OCIO, in coordination with the Office of Communication (OC), is responsible for all dealings with the media and public. USDA agencies are to direct inquiries from these sources to OCIO for response and resolution.

During this phase an incident or incidents may be cancelled. Cancellation occurs when investigations determine that no incident occurred, the IDS provided a “false positive”, or information related to the incident was incorrect. A cancelled incident is the same as a closed incident.

(4) Incident Preparation – Each USDA organization will develop their own incident handling procedures and notification trees. Documentation and forms should be available at the outset of each formal incident or event that shall be updated at each stage of the incident and shall be finalized at incident/event conclusion. The USDA CIO, through ACIO CS, will be kept abreast of the status of ongoing major incidents at regular intervals (as events change or progress is made) by the agency until resolution of the incident.

(5) Incident Response – This phase includes the analysis of how the incident happened, how to handle the situation so that it is resolved quickly and to ensure that it does not reoccur. Each USDA organization will develop internal response procedures that support the actions that must be taken in responding to incidents. At a minimum, the internal procedures will include a reporting chain and require the involvement of organizational personnel and OCIO CS. These procedures will also require the preservation of evidence, assessment, containment and recover actions, damage determination, report documentation, lessons learned and the identification of corrective actions required by the agency security program managers and CIO.

There are three definitive sub-phases of this process: assessment and containment, recovery operations, and damage analysis.

Assessment and containment – This process begins as soon as suspicious activity is detected and personnel are designated to take immediate action to resolve the incident. The IRT(s) must be empowered to take containment actions up to and including the immediate shut down of the system to prevent further intrusion or damage to the agency system or other department networks or resources. The Department CIO also has the authority to issue a “Cease and Desist” order to bring a system down should the circumstances dictate or the agency not respond in a expeditious manner to the incident (normally 12 hours). Additionally, the department may issue a port or IP address block internally or externally. This block will remain in place until the incident is officially closed by OCIO. Reporting through the agency ISSPM to OCIO CS will occur simultaneously when accurate information is available, particularly in cases where the preliminary assessment indicates that significant damage to USDA resources may have occurred. Unavailability of any official in the organizational reporting chain is not to delay the continuation of the incident notification or response process.

Recovery operations - Each USDA organization should prioritize those actions that support the smooth recovery of a compromised system(s). In no case should a compromised system, web page or application be returned to normal operation without the approval of ACIO CS. The ISSPM will request that OCIO CS permit the system(s), web page, or application to resume normal operation. OCIO CS reserves the right to further scan the system to ensure that appropriate security is in place to protect the Department. The agency may resume normal operation of the restored system, upon ACIO CS approval and the completion of the IT incident report. The ACIO CS will have 1 working day to respond with the approval or disapproval to return the system to normal operation. If a system is mission critical, the USDA organization can coordinate directly with the ACIO CS for a more immediate system restoration, on a case-by-case basis. If the USDA organization does not receive a response within that time, they can return the system to normal operation provided that they feel adequate security protection is in place to prevent future incidents.

Damage analysis - An analysis of all CS incidents is to be initiated immediately after assessment, containment and recovery actions are completed by each agency ISSPM. The ISSPM will determine if the incident is confined to one agency or multiple agencies and if there is impact to organizations outside USDA. The impact to each system will be analyzed to determine if the control of the system has been compromised. All compromised systems will be disconnected from external communications as soon as possible, but not later than 12 hours from discovery of the incident. Control of a system is lost when the intruder obtains control of the root or system accounts with administrative privileges. A determination is to be made if log files have been erased or compromised.

The ISSPM will initiate the process of estimating the overall economic impact of the incident to the USDA organization and Department in coordination with the system owner/business manager. At a minimum, the estimate will be quantified in terms of loss of system(s) availability, loss of response capability to customers, cost of equipment/software to repair, and hours of personnel associated with the repair or restoration of the system(s). The damage assessment report will be reviewed and concurred on by the system owner/business manager prior to inclusion in the CS Incident report. This information will then be updated in the CS Incident report.

(6) Incident Reporting – involves formal documentation that a CS Incident occurred using the departmental formal reporting process established in this policy. All USDA completed incident report documentation is to be reported to OCIO CS. OCIO CS is responsible for incident reporting to the OIG, US-CERT, and law enforcement for any violation of law. CS incidents are to be tracked and closed in accordance with the requirements of this policy. However, CS incidents that involve violations of the law or investigation will be separately tracked as resolution may not occur for a protracted period of time.

Figure 3

(7) Incident Closure – This process occurs when an agency IRT or manager prepares the incident report based on internal peer review of the incident, and lessons learned are developed and documented. The lessons learned are noted on the formal incident reporting form. OCIO CS shall conduct an internal peer review. If the peer review recommends closure, OCIO CS shall update its records to document closure and request close-out approval from US-CERT.

c Law Enforcement Responsibilities. Threats of harm to a USDA employee or contractor at the official duty station by someone using computer e-mail are a serious type of CS incident. All acts of violence should be promptly reported to supervisors or managers and in the case of an emergency, directly reported to the USDA Local Security Guard Command Center. Any agency ISSPM or representative who receives a report of a threat using electronic equipment should complete an intrusion report, Appendix A, and forward the information to ACIO CS for referral to the OIG. The OIG regards threats using computers as “Workplace Violence”. Incidents are referred to the FBI Violent Crimes Unit. More information on Workplace Violence can be obtained from the Violence Prevention Program Website http://www.usda.gov/da/workviolence.htm.

All CS events, deemed major in nature by ACIO CS involving computer systems, websites and applications, are also reported to the OIG. The OIG will review the case (incident) and routinely advise ACIO CS if criminal referral is necessary and of the disposition within 30 days from receipt of the official report. Possible disposition includes: internal investigation, referral to the FBI, or no action by the OIG. In cases of no OIG criminal referral, the USDA organization shall be responsible for handling the incident.

The ACIO for CS, through the CIO and the Secretary, can escalate the matter to the OIG for accelerated support and case disposition in major CS incidents involving a high threat magnitude. In those instances, the OIG will respond within 5 working days from receipt of the official report.

f Incident Response Forms, Contact Lists and Time Frames. All USDA organizations must use the incident reporting forms and contact lists in the Appendices in order to properly respond to CS incidents. Each form has time frames for required agency action.

(1) CS Incident Report (Appendix A) is to be used by the ISSPM or Deputy to update major incident information throughout the entire incident response process. The final report is to be completed not later than 15 days from official notification of each major IT Incident.

(2) Agency ISSPM/Deputy ISSPM/CIO Contact List (Appendix B) contains the agency CS Incident contact information. Each agency/mission area is responsible for providing this list to OCIO CS. OCIO CS will maintain this list electronically and use this list in their CS incident notification process. This list should include the agency ISSPM, Deputy ISSPM and CIO as the contacts responsible for maintaining/operating agency systems/networks. All individuals identified should have the technical knowledge to support USDA’s overall incident response program effectively and provide internal notification to agency officials when major IT Incidents occur. The accuracy of the names, phone numbers and e-mail addresses is the responsibility of each USDA organization; agency ISSPMs will review and update this information as necessary.

4 RESPONSIBILITIES

a The USDA Chief Information Officer and Deputy will:

(1) Be notified immediately after confirmation that a High level CS incident has declared and assigned a USDA CS incident tracking number;

(2) Have final authority on all decisions relating to the management/response to an Major CS incident;

(3) Be responsible for notifying the Secretary all CS incidents that could become the focus of media or administration interest and provide regular updates based on the gravity of the threat; and

(4) Make determinations regarding release of information consistent with applicable Federal Statutes or regulations and serve as the contact point with the media in coordination with the Office of Communications.

b The Associate Chief Information Officer for Cyber Security will:

(1) Function as the Department ISSO;

(2) Coordinate incident handling management of all USDA/OCIO declared CS incidents with oversight authority to ensure that all reports and responses are prepared, appropriate personnel are involved, appropriate organizations are contacted and proper actions are taken to resolve the incident;

(3) Provide technical assistance to the OIG in support of case investigations;

(4) Notify the CIO immediately after confirmation that a CS Incident has occurred;

(5) Receive reports of suspected CS incidents from the following sources:

(a) US-CERT and other internal or external intelligence sources;

(b) ISSPM/Agency representatives;

(d) Agency employees.

(6) Review all field incident intelligence, facts surrounding the case and Level of Consequence. In coordination with the Agency ISSPM/representative, OCIO CS will make a corporate decision concerning countermeasures. Countermeasures can include a request to the SOC for blocking some/all system activity or monitoring of the system by agency engineers;

(7) Assemble and deploy the “Ad Hoc IRT” to augment agency incident response or to protect departmental information assets, if required;

(8) Review all agency requests for compromised systems/applications to ensure systems have been adequately patched/updated with security control prior to resumption of normal operations. In addition, review with the SOC the results of system scans. Approve/disapprove system/application/web page return to normal operation within 24 hours of formal agency request;

(9) Be responsible for notifying the CIO with information

concerning all CS incidents; provide regular updates based on the gravity of threat;

(10) Escalate as necessary High level CS incident cases with Secretarial interest to the OIG;

(11) In cases of illegal/inappropriate activities, refer the case to the agency for administrative actions against employees/contractors, if the OIG elects not to investigate;

(12) Assure that this procedure is modified as necessary, disseminated and enforced on behalf of the CIO;

(13) Serve as the Department POC for collecting and analyzing information on incidents;

(14) Review and identify agencies that are responsible for compromises using the current centralized listing of all IP address ranges for all USDA activities;

(15) Maintain a current telephone and e-mail listing of all agency ISSPMs and their deputies;

(16) Maintain contact with internal/external parties and provide whatever assistance is needed to ensure that activities required to resolve a CS incident are taken;

(17) Review all USDA IT intrusion reports as received from reports from Firewalls/IDS;

(18) Coordinate with agencies to make an agency decision regarding the CS Incident. Possible decisions include: shut down of system, SOC blocking of external/internal activity, or careful monitoring of affected system;

(19) Assign an USDA ITN to each case. Report the incident electronically to US-CERT for review and action. US-CERT will assign an incident number, review the case and provide recommended actions via e-mail; forward the US-CERT information to the agency ISSPM;

(20) Coordinate with the SOC the deployment of the ad hoc IRT composed of ISSPMs to respond to CS incidents, when required;

(21) Advise and assist the affected agency ISSPM in the assessment and containment actions, as necessary;

(22) Provide a consolidated report on all open agency CS incidents weekly with progress on agency resolutions;

(23) Provide progress reports on all open incidents weekly;

(24) Send an electronic report daily to ISSPMs on penetration exploits that are fast paced; more routine penetration exploits will be reported weekly to the ISSPMs via e-mail;

(25) Assist in the population a current electronic database of all CS incidents and events; OCIO CS will use this database for tracking and reporting purposes;

(26) Assist the agency ISSPM with the incident response and

preparation of all CS incident reports, if required;

(27) Ensure that incident handling actions taken are in accordance with established policies and procedures including incident close out; and

(28) Provide copies of the latest information on security products, breaches and alerts to the agency ISSPMs to increase their level of security awareness.

c The OCIO, CS Security Operations Center (SOC) will:

(1) Provide a POC for formally receiving notification or notifying ACIO CS of potential or actual CS incidents, 24 hours a day, seven days per week;

(2) Notify ACIO CS of potential incidents via e-mail and copy the appropriate Agency ISSPM;

(3) Manage and monitor all Departmental network backbone nodes on a 24-hour basis for network incidents/intrusions;

(4) In collaboration with OCIO CS, ensure that compromised systems have been patched and scanned before incident closure and approval to return to the network or before removal of blocked IP addresses;

(5) Provide USDA organization incident handlers and ISSPMs with technical expertise that will enable them to correctly complete the US-CERT or USDA incident report documents;

(6) Review IDS procedures including IDS reporting formats to ensure that they are meaningful to the recipients and initiate changes in the IDS reports and firewall configurations to reduce intrusions; and

(7) Survey the commercial market for the latest IDS/IPS software/hardware enhancements to ensure that USDA systems are continuously protected by an updated system.

d The Office of the Inspector General will:

(1) Provide notification of non-criminal case disposition electronically to the ACIO CS (Unless such case involves the OCIO directly, in which case only the CIO will be briefed on case disposition. Possible disposition includes: internal investigation, referral to the FBI or no action. Case disposition will be noted in the notification;

(2) Ensure that CS incidents involving threats are forwarded to the FBI, Violent Crimes Unit for action. Notification will be provided to ACIO CS of this action;

(3) Provide accelerated support and investigative assistance to the ACIO CS on all CS incidents involving a high level of magnitude as determined by the Secretary. Provide case disposition notification within 5 days from receipt of official report to include proposed investigative actions and time frames;

(4) Review and approve all USDA agencies forensic lab equipment, software and procedures;

(5) Advise ACIO CS of any investigative actions involving routine CS incidents which do not pose an immediate risk to USDA assets and on a quarterly basis; supply updates on pending cases, as often as a significant development occurs; and

(6) Provide CS intelligence information when received to the ACIO CS.

e USDA Organization (Agency, Staff Office, Program Office) Chief Information Officer will:

(1) Be responsible for ensuring incident handling within the organization is accomplished by:

(a) Ensuring that incident response personnel are assigned, trained, and understand their responsibilities in the organization’s incident handling process;

(b) Providing ACIO CS with the names, phone numbers, e-mail addresses of the organizational personnel responsible for incident handling;

(d) Providing adequate resources and support enabling the organization's ISSPM to comply with the requirements of this policy; and

(e) Documenting, establishing, and implementing internal tactical procedures for reporting and responding to incidents to initiate and/or request assistance in complying with this directive;

(2) Ensure procedures include the system shutdown and mitigation actions necessary to safeguard agency systems/information assets. In all cases, the safety of USDA information assets must take priority over system availability;

(3) Respond to requests from the ACIO CS for administrative action against agency personnel/contractors as a result of unauthorized or illegal CS incidents;

(4) Establish and maintain an agency forensic capability sufficient to gather, collect, and preserve computer evidence when requested by either OIG or CS. (Note: the OIG will review and approve all agency forensic processes and procedures.);

(5) Assign telecommunications and security personnel to the agency Cyber Security Incident response team (CSIRT) as needed;

(6) Ensure that an accurate electronic listing of all IP addresses assigned to all agency activities is maintained and made available to the ISSPM, updated as changes occur and sent to OCIO CS on a monthly basis;

(7) Take the appropriate containment actions to provide

adequate security in the agency environment; assume the ultimate responsibility for final resolution of all CS incidents;

(8) Collaborate with OCIO incident handling personnel promptly in making the necessary corporate and organizational level incident containment decisions;

(9) Ensure that the agency ISSPM is actively engaged in the incident process from the outset; delegating backup personnel to act for the ISSPM in their absence to handle incident responsibilities;

(10) Establish an agency IRT with the necessary skills and knowledge to quickly respond to agency threats; the organization’s ISSPM/IT staff will be responsible for this team;

(11) Make certain that system administrators, in collaboration with the organization’s ISSPM, rapidly implement the actions required to mitigate or correct any identified incident and perform interim/follow-up activities until the incident is officially closed;

(12) Assure that all respective SA, IT personnel, and agency employees are aware of the requirement to report all suspected computer attacks, virus, threats or suspicious activity to ACIO CS;

(13) Run scans on affected IP address to ensure any

vulnerabilities are corrected; false positives need to be

verified with OCIO CS;

(14) Request approval from the ACIO CS to return compromised systems/applications to operational status; ensure that compromised systems/applications remain off line and disconnected from the Internet until approval is received;

(15) Ensure that system owners/business managers participate in the High level CS incident damage assessment process with regard to determination of the value/sensitivity of information and review/concurrence in the final damage report;

(16) Ensure that a privacy determination is performed to ascertain if any individual’s privacy has been compromised;

(17) Determine loss of program support of the affected system;

(18) Provide oversight in the development and completion of appropriate incident reporting documentation including the formal reports identified in the figures and Appendix A of this regulation within the required time frames; and

(19) Make certain that mitigation and countermeasure actions are taken to prevent CS incident recurrences, including a formal POA&M to cover all high level intrusions that cannot be corrected immediately; and

Ensure that internal controls surrounding the CS incident have been evaluated and updated as necessary to prevent the recurrence of the incident. Document this evaluation and the conclusions reached and make available to OCIO CS upon request.

f The Agency Information Systems Security Program Managers (ISSPM)/designate will:

(1) Manage and act as the focal point for the agency in the review, containment and final resolution of all CS incidents;

(2) Serve as the agency POC for all law enforcement investigations of CS incidents that were not taken on by the OIG;

(3) Promptly report and refer CS incidents involving employee threats (made or received by USDA employees/contractors) to the OIG for investigation and possible referral. The threatening e-mail (s) should be printed and faxed to the designated OIG office and the Departmental ISSPM. The printed copies will be kept in a locked file cabinet or safe for evidentiary purposes;

(4) Ensure that all members of the organization’s IRT and other incident handlers are provided with copies of all USDA CS policies and that they understand the requirements;

(5) Review and update the Agency incident contact list every as necessary to ensure accuracy of the data. Send all changes electronically to OCIO CS to use in incident notification action;

(6) Ensure that all US-CERT emergency advisories, alerts or notifications are promptly forwarded to individuals responsible for organizational systems; act as an advisor to agency IT managers regarding CS products/solutions based on own knowledge or information received from OCIO CS;

(7) Maintain a current and accurate electronic listing of IP addresses assigned to all agency activities and update as changes occur; this listing will be furnished to OCIO CS and TSO monthly and updated as changes occur;

(8) Review all intelligence reports on USDA CS incidents from all sources and in coordination with OCIO CS promptly make corporate and agency containment decisions to protect USDA IT assets;

(9) Electronically file a CS Incident report, Appendix A,

within 24 hours of discovery of an event with ACIO CS, Departmental ISSPM/Deputy; provide required information in this report including IP address, type of information being processed and preliminary incident information;

(10) Begin the rapid coordination of CS incident assessment, containment, recovery, and damage analysis actions for compromised systems/applications/web pages;

(11) Provide immediate notification to the agency IRT of the incident and facts surrounding the case; participate in the overall actions of the team to effectively respond to each intrusion; take an active role in ensuring that IRT members are trained and responsive to high level intrusions;

(12) Update the CS incident report and include all required general, contact and host information, incident category data, security tools in place, and detailed descriptions of the incident as soon as possible during the assessment and containment process. Provide verbal status updates when significant changes occur in the incident status to the Departmental ISSPM. The final report should also include agency internal controls evaluated and any changes to such controls to prevent recurrence of the same or similar incident. Interim reports using this form will be provided electronically to the Departmental ISSPM/Deputy to provide confirmed status on changes in each high level incident. Each report that is an update should be noted as such at the top. The completed electronic report is due to ACIO CS 15 business days after discovery of the incident or event and prior to the return of the compromised system/application to normal operation unless the incident involves law enforcement or adverse action which prohibits release of information. Incidents assigned to law enforcement or human resources without projected close out date will be labeled “Suspended”;

(13) In coordination with the respective SA, monitor the compromised system/application if shutdown has not occurred. If the level of consequence escalates, the ISSPM will take further containment actions to include:

§ Shut down or render the system unavailable to the attacker, to preclude further intrusion or damage. For systems that need to be shutdown, always bring the system to a halted state and never reboot during shutdown of a compromised system;

§ Examine each affected system to determine what changes occurred, such as the addition of new user identifications or software; and

§ Conduct diagnostic testing on the compromised system(s) to determine the security status using scanning tools;

(14) In concert with the SA, ensure that the penetrated system is kept offline and disconnected from the network until it has been determined how the intrusion occurred and until the vulnerabilities that allowed the penetration have been corrected or disabled. The ISSPM will make certain that log files are copied to another unaffected system. Reboot of the system will be controlled and done in “single-user mode” only;

(15) In coordination with the SA, ensure that vendor’s guidelines and instructions for restarting mainframes or clustered minicomputer systems are followed. The original operating system software will be used that represents a “trusted backup” of the operating system prior to the intrusion. All necessary system patches and authorized application software will then be reloaded. All user accounts and system privileges need to be verified for validity prior to reloading. A scan tool will be run on the system by the agency to ensure that the system is ready for operation and secure. Note all system operating software, patches, authorized applications software and data backup tapes should always be stored in a secure location in the event a system restoration is necessary. System data should be backed up on a routine basis dictated by the value or sensitivity of the information;

(16) Ensure that a proper “chain of custody” is maintained as outlined below to support the government’s responsibility to prosecute intruders. Work with the SA to ensure that two backup tapes are created. These tapes will be labeled with the date, time, and description of data and signature of the person creating the tape. The ISSPM will maintain these tapes in a safe or locked file cabinet with a signed receipt that the tapes have not been reused. The original tape will be provided to investigating authorities; the second copy will be retained by the ISSPM. It is strongly recommended that a witness be present to document and attest to the events that occurred in the process of protecting evidence;

(17) Upon notification by the respective SA that the system is secure and ready for normal operation, the ISSPM will advise the ACIO CS of system recovery and request approval to resume normal operation;

(18) In concert with the systems owner or IT business manager, make a determination on the value/sensitivity of the data to the agency mission. Collaboratively develop a damage determination based on an analysis of the incident. This analysis should include the type of products used by the intruder, any apparent File Transfer Protocol (FTP)s of data, and the extent of the intrusion. This information should be used as the basis for a decision on the known potential for damage to the system. The damage determination should also be quantified in terms of loss of system availability, loss of response capability to customer, cost of repairing hardware/software and the hours of personnel associated with repair or restoration of the system;

(19) Perform a privacy analysis to determine if individual privacy data has been compromised; if so determine the extent of the damage and advise ACIO CS;

(20) Report all suspected CS incidents to the ACIO CS to ensure that incidents are reported formally;

(21) Ensure that all CS incident reports are completed and filed in following the formats and time frames outlined in the previous Policy section, Incident Response Forms, contact lists and time frames; and

(22) Retain all incident report information, evidence tapes and other related materials in a safe or locking file cabinet; act as the official agency repository for all CS incidents.

g The Agency Systems Administrators will:

(1) In coordination with the agency ISSPM, take actions

to effectively assess, contain, and recover from all CS incidents; examine the compromised system to determine what changes occurred to the system as outlined in the duties of the agency ISSPM. Remove all unknown code and software from the compromised system;

(2) Actively participate, if requested, in the internal IRT and provide subject matter expert advice in the handling of CS incidents to the agency ISSPM;

(3) Rebuild the compromised system, as outlined in the ISSPM duties above, conduct system scans, ensure that adequate security controls and countermeasures are in place or implemented and notify the agency ISSPM when the system is secure and ready to resume normal operation;

(4) Ensure that all system patches and updates have been applied;

(5) Test the system to determine that vulnerabilities have been corrected or adequately mitigated;

(6) Provide the results of the system test to the agency ISSPM to validate that the system has been restored to a trusted operating state;

(7) Assist the agency ISSPM in any research or investigation

required to determine the extent of any damage done

or the impact of CS incident/event on the system(s)

administered;

(8) Preserve and protect the evidence compiled as a result of the investigation or research;

(9) Ensure that forensic evidence has been maintained; and

(10) Report any suspected CS Incident to the agency ISSPM and ACIO CS immediately upon learning of the incident.

h All Agency Employees will:

Report all suspicious computer related activities immediately when detected on USDA Systems to the responsible SA, agency ISSPM or helpdesk personnel for investigation and determination of whether an incident has occurred or is in process.

- END -