JC3 Incident Reporting Procedures
U.S. Department of Energy Facilities/Contractors Only
DOE O 205.1-B Chg 2 4.(c)(13) DEPARTMENT OF ENERGY CYBER SECURITY PROGRAM requires a defined "process for incident reporting that requires all cyber security incidents involving information or information systems, including privacy breaches, under DOE or DOE contractor control must be identified, mitigated, categorized, and reported to the Joint Cybersecurity Coordination Center (JC3) in accordance with JC3 procedures and guidance." This document outlines the referenced JC3 reporting procedures and guidance to facilitate your reporting and JC3's response activity. JC3 should be informed of all reportable cyber security incidents as specified below. JC3 will work with your site management to determine the severity or significance of any cyber security incident.
For PII clarification for reporting, contact the Chief Privacy Officer.
Reportable Cyber Security Incidents
All DOE organizations will develop and document procedures for reporting cyber security incidents in their Cyber Security Program Plans (CSPPs) or similar documents for classified systems. DOE organizations will report cyber security related incidents that are significant or unusually persistent and meet one or more of the following criteria:
1.) Characterize and Categorize Cyber Security Incidents
Characterize and categorize cyber security incidents according to their potential to cause damage to information and information systems based on two criteria: Incident Type and Security Category. These criteria are used to determine the time frame for reporting incidents to the JC3.
Type 1 incidents are successful incidents that potentially create serious breaches of DOE cyber security or have the potential to generate negative media interest. The following are defined as Type 1 incidents.
- System Compromise/Intrusion. All unintentional or intentional instances of system compromise or intrusion by unauthorized persons must be reported, including user-level compromises, root (administrator) compromises, and instances in which users exceed privilege levels.
- Loss, Theft, or Missing. All instances of the loss of, theft of, or missing laptop computers; and all instances of the loss of, theft of, or missing IT resources, including media, that contained Sensitive Unclassified Information (SUI) or national security information.
- Web Site Defacement. All instances of a defaced Web site must be reported.
- Malicious Code. All instances of successful infection or persistent attempts at infection by malicious code, such as viruses, Trojan horses, or worms, must be reported.
- Denial of Service. Intentional or unintentional denial of service (successful or persistent attempts) that affects or threatens to affect a critical service or denies access to all or one or more large portions of a network must be reported. Critical services are determined through Business Impact Analyses in the Contingency Planning process.
- Critical Infrastructure Protection (CIP). Any activity that adversely affects an asset identified as critical infrastructure must be reported. CIP assets are identified through the Contingency Planning process.
- Unauthorized Use. Any activity that adversely affects an information systems normal, baseline performance and/or is not recognized as being related to Senior DOE Management mission is to be reported. Unauthorized use includes, but is not limited to, port scanning that excessively degrades performance; IP (Internet protocol) spoofing; network reconnaissance; monitoring; hacking into DOE servers and other non-DOE servers; running traffic-generating applications that generate unnecessary network broadcast storms or drive large amounts of traffic to DOE computers; or using illegal (or misusing copyrighted) software images, applications, data, and music. Unauthorized use can involve using DOE systems to break the law.
- Information Compromise. Any unauthorized disclosure of information that is released from control to entities that do not require the information to accomplish an official Government function such as may occur due to inadequate clearing, purging, or destruction of media and related equipment or transmitting information to an unauthorized entity.
Type 2 incidents are attempted incidents that pose potential long-term threats to DOE cyber security interests or that may degrade the overall effectiveness of the Department’s cyber security posture. The following are the currently defined Type 2 incidents.
- Attempted Intrusion. A significant and/or persistent attempted intrusion is an exploit that stands out above the daily activity or noise level, as determined by the system owner, and would result in unauthorized access (compromise) if the system were not protected.
- Reconnaissance Activity. Persistent surveillance and resource mapping probes and scans are those that stand out above the daily activity or noise level and represent activity that is designed to collect information about vulnerabilities in a network and to map network resources and available services. The Senior DOE Management PCSP must document the parameters for collecting and reporting data on surveillance probes and scans.
Security categories characterize the potential impact of incidents that compromise DOE information and information systems. Such incidents may impact DOE operations, assets, individuals, mission, or reputation. Security categories identify the level of sensitivity and criticality of information and information systems by assessing the impact of the loss of confidentiality, integrity, and availability. Each of the security objectives confidentiality, integrity, and availability is assessed in the following manner:
- Low Security Category. Loss of system confidentiality, integrity, or availability could be expected to have a limited adverse effect on DOE operations, assets, or individuals, including loss of secondary mission capability, requiring minor corrective actions or repairs.
- Moderate Security Category. Loss of system confidentiality, integrity, or availability could be expected to have a serious adverse effect on DOE operations, assets, or individuals, including significant degradation, non-life threatening bodily harm, loss of privacy, or major damage, requiring extensive corrective actions or repairs.
- High Security Category. Loss of system confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on DOE operations, assets, or individuals. The incident could pose a threat to human life, cause the loss of mission capability, or result in the loss of major assets.
2.) Complete Incident Reports
Complete Incident Reports in a timely manner, and maintain all records. Incident management processes and procedures are included in Contingency Plan testing and integrated with Personally Identifiable Information incident reporting, Information Condition (INFOCON) processes and procedures, and each information system Contingency Plan.
- When a cyber security incident has occurred or is suspected to have occurred (potential incident), the affected site will immediately examine and document the pertinent facts and cirumstances surrounding the event.
- The initial investigation of an event is completed within 24 hours. If the initial investigation of a potential incident cannot be completed within 24 hours, an initial report must be made within 26 hours. Once it is determined that an incident has occurred, the incident must be categorized according to Incident Type and Security Category, analyzed for impact to Senior DOE Management operations, and reported to JC3 within the time frames indicated in Table 1, in accordance with the process established in the applicable PCSP.
- All potential incident evaluations and incidents must be documented and local files retained.
- A monthly report on the status of incident resolution is to be required from all operating units whether or not any reportable successful or attempted cyber security incidents have occurred during the previous month.
Within 4 hours
Within 2 hours
Within 1 hour
Within 1 week
Within 48 hours
Within 24 hours
Required Time Frame for Reporting Cyber Security Incidents
Requirements for Reporting of Cyber Security Incidents Involving Personally Identifiable Information (PII). Senior DOE Management PCSPs are to direct operating units to develop, document, and implement policies and procedures for reporting incidents involving PII, in accordance with the following criteria.
- Establish, document, and implement procedures for reporting cyber security incidents related to PII in accordance with the processes and time frames outlined in this Guidance.
- Develop processes to notify the Information Owner once it has been determined that confidentiality of PII has been compromised.
- Ensure that all suspected or confirmed cyber security incidents involving media containing PII (including the physical loss/theft of computing devices) are reported to the DOE Cyber Incident Response Capability (JC3) within 45 minutes of discovery. JC3 will report to the US-Computer Emergency Readiness Team (US-CERT) in accordance with its procedures.
- When reporting possible cyber security incidents involving PII, there should be sufficient reason to believe that a security breech has occurred and that PII is likely to have been involved. Otherwise, the incident should be reported following documented procedures for reporting all cyber security incidents.
- Reports to JC3 should be made via the AWARE portal, or alternatively by email to email@example.com, phone to 866-941-2472, or fax to 702-932-0189.
Incident Reporting Procedures
Incidents involving unclassified computer systems
Report cyber security incidents involving unclassified systems as listed below. JC3 encourages sites to utilize the flexibility offered by e-mail whenever possible.
Send e-mail describing the cyber security incident to firstname.lastname@example.org. Alternatively, call the hotline at 866-941-2472, or fax information to 702-932-0189.
Incidents Requiring Immediate Attention
If the cyber security incident requires priority handling, use the phrase "URGENT" in the e-mail subject line and an analyst will contact you. You can also call the hotline at 866-941-2472, where an analyst will man the phone 24x7x365. Please restrict the non-business hours use of the incident hotline to only emergency situations.
Information about unclassified cyber security incidents of a sensitive nature should be sent protected with encrypted e-mail. To facilitate this process, supply JC3 with your public encryption key, either Entrust or PGP. Contact JC3 for guidance on how to transmit information securely if encrypted means are not available.
Automated Scan Detection and Reporting
Some sites are utilizing automated methods for both detecting and reporting scans and probes. This provides JC3 with valuable data without undue burden on the site. If you are interested in using an automated tool, send e-mail to email@example.com.
Incidents Involving Classified Computer Systems
If the cyber security incident involves a classified system, call the JC3 Hotline 866-941-2472 and request a callback on the JC3's STU. If you are not near a STU, call the JC3 Hotline with a STU number and a time to return your call. Please note these are not incidents that involve the "leaking" of classified material onto an unclassified system.
Incident Report Content
JC3 is available to all sites that need assistance in cyber security incident handling and gathering of incident information. In reporting cyber-related incidents to JC3, provide as much detailed information as possible about how the incident occurred, what occurred, its impact, and what preventive measures have been implemented. Supply any log file information from the compromised system(s), routers, and/or firewalls in the communication path. JC3 will analyze this information and provide a detailed report regarding each unauthorized compromise.
JC3 understands that this information is not always readily available; however, any details you can provide will help with our analysis. Even if you have resolved the incident yourself, your report and analysis is valuable to JC3 in comparing this incident with those reported by other sites. It further assists JC3 in analyzing the DOE corporate threat and providing DOE and the NNSA with guidance. In assessing the significance and reporting of such cyber security incidents, the reporting organization must consider the following questions:
- Determine responsible party's identification, usually IP address(es) or host name(s).
- Does the compromise involve a country on the DOE Sensitive Country List?
- What type of information was the compromised system processing (classified or unclassified -- OUO, UCNI, NNPI, Export Controlled)?
- What service did the system provide (DNS, key asset servers, firewall, VPN gateways, IDS)?
- What level of access did the intruder gain?
- What hacking tools and/or techniques were used?
- What did the intruder delete, modify, or steal?
- What unauthorized data collection programs, such as sniffers, were installed?
- What was the impact of the attack?
- What preventative measures have been (are being) implemented?
- When was the cyber security incident detected?
- When did the cyber security incident actually occur?
- How was access gained?
- What vulnerability was exploited?
- How was the incident detected?
Incident Reporting Form
For your convenience, please contact us for the Word documents to report an incident.