DRAFT FOR PUBLIC COMMENT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
CISA Incident Reporting Form
15
Complete Question Set
16
17
18
19
20
21
22
23
24
25
26
27
28
Page 1 of 120
DRAFT FOR PUBLIC COMMENT
Table of Contents
29
30
31
Table of Contents .......................................................................................................................................... 2
32
a.
Introduction ........................................................................................................................................... 5
33
b.
Labels Used ........................................................................................................................................... 5
34
c.
Beginning of Incident Reporting Questions.......................................................................................... 6
35
d.
Report Type .......................................................................................................................................... 6
36
e.
Report Reason ....................................................................................................................................... 7
37
f.
Contact Information of Reporter: .......................................................................................................... 9
38
g.
Impacted Entity Demographics ........................................................................................................... 11
39
h.
Incident Overview ............................................................................................................................... 25
Incident Category Type Determination................................................................................................... 25
40
41
i.
Incident Notifications.......................................................................................................................... 27
42
j.
Incident: Severity Assessments ........................................................................................................... 30
43
Confidentiality, Integrity, Availability (CIA) Assessment ..................................................................... 30
44
Violation of Law and Policy ................................................................................................................... 31
45
Incident: High-Level Impacts ................................................................................................................. 31
46
Public Impacts ..................................................................................................................................... 31
47
National US Impacts ........................................................................................................................... 31
48
Regional Impacts (Local to Global).................................................................................................... 32
49
Breach Severity Impacts...................................................................................................................... 32
50
Major Incident Severity Determination (FISMA Only) ...................................................................... 33
51
Public Health and Safety Impacts ....................................................................................................... 34
52
Indirect Impacts .................................................................................................................................. 35
53
Impacts Internal to the Entity .............................................................................................................. 37
54
Functional Impacts to Entity ............................................................................................................... 37
55
Informational Impacts to Entity .......................................................................................................... 39
56
Physical Impacts to Entity................................................................................................................... 39
57
Economic Impacts to Entity ................................................................................................................ 40
58
k.
Incident: Details by Stage ....................................................................................................................... 40
59
60
61
Incident Details ................................................................................................................................... 40
l.
Identification and Detection (I/D) Stage ............................................................................................. 40
Incident Stage (I/D): Ransomware and Cyber Extortion ........................................................................ 40
Page 2 of 120
DRAFT FOR PUBLIC COMMENT
62
Initial Ransom Demand Details .......................................................................................................... 41
63
Ransom Payment Details .................................................................................................................... 42
64
Results of Ransom Incident ................................................................................................................ 46
65
66
Incident Stage (I/D): Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IOCs)
Observed ................................................................................................................................................. 47
67
Incident Stage (I/D): Tactics, Techniques and Procedures (TTPs) Observed......................................... 48
68
Incident Stage (I/D): Indicators of Compromise (IOCs) and associated Detection Methods Used ........ 50
69
Indicator of Compromise (IOC) Individual Data Marking ................................................................. 55
70
Incident Stage (I/D): Indicators of Compromise (IOCs): Detection Methods .................................... 55
71
Incident Stage (I/D): Malware Artifacts and Detection Logics/Analytics .......................................... 57
72
73
Incident Stage (I/D): Malware Artifacts and Detection Logics/Analytics: Data Classification
Markings ............................................................................................................................................. 58
74
Incident Stage (I/D): Data Sources Used and Attribution ....................................................................... 58
75
Data Sources Used .............................................................................................................................. 58
76
Attribution ........................................................................................................................................... 58
77
m. Assistance ........................................................................................................................................... 59
78
Assistance from CISA......................................................................................................................... 59
79
Third Party Assistance ........................................................................................................................ 59
80
Data Sharing and Logging Readiness ................................................................................................. 59
81
n.
Analysis (A) Stage .............................................................................................................................. 61
82
Incident Stage (A): Impacted Users and Systems ................................................................................... 62
83
Incident Stage (A): Initial Access “Patient Zero” Details ....................................................................... 67
84
Incident Stage (A): Detailed Informational Impacts ............................................................................... 68
85
Incident Stage (A): Breach Details ......................................................................................................... 73
86
Impacted Individuals ........................................................................................................................... 74
87
PII Accessed and/or Impacted............................................................................................................. 74
88
Incident Stage (A): Security Control(s) [Contributing to Incident] ........................................................ 78
89
o.
Incident Stage (C): Countermeasures – Containment ............................................................................. 81
90
91
p.
q.
Recovery (R) Stage ............................................................................................................................. 85
Incident Stage (R): Recovery Actions .................................................................................................... 86
94
95
Eradication Stage ................................................................................................................................ 83
Incident Stage (E): Countermeasures – Eradication ............................................................................... 84
92
93
Containment (C) Stage ........................................................................................................................ 80
r.
Post-Incident (P-I) Stage ..................................................................................................................... 87
Page 3 of 120
DRAFT FOR PUBLIC COMMENT
96
s.
Event Reporting (Below Incident Thresholds) (FISMA – Only)........................................................ 89
97
t.
Data Marking Stage ............................................................................................................................ 90
98
Cybersecurity Information Sharing Act of 2015 Acknowledgement...................................................... 90
99
Overall Report Data Markings ................................................................................................................ 90
100
u.
End of Incident Reporting Questions .................................................................................................. 90
101
v.
Appendix 1: Data Marking ................................................................................................................. 90
Data Marking Options............................................................................................................................. 90
102
103
w.
Protect CISA CPGs & NIST SP 800-53 References .............................................................................. 91
104
105
Appendix 2: CISA Cybersecurity Performance Goals (Protect) & NIST SP 800-53 References ...... 91
x.
Appendix 3: Incident Type/Categories ............................................................................................... 99
106
Incident Types involving Malware ......................................................................................................... 99
107
Incident Types Involving Hacking ........................................................................................................ 100
108
Incident Types Involving Social Engineering ....................................................................................... 101
109
Incident Types Involving Misuse of Assets .......................................................................................... 101
110
Incident Types Involving Physical Actions .......................................................................................... 102
111
Incident Types Involving Human (or Technology) Errors ................................................................... 102
112
Incident Types Involving Environmental Factors ................................................................................. 103
113
y.
Appendix 4: Critical Infrastructure Sectors and Subsectors ............................................................. 103
114
z.
Appendix 5: Federal Agencies and Sub-Agencies ............................................................................ 107
115
116
117
118
119
120
121
122
123
124
125
126
127
Page 4 of 120
DRAFT FOR PUBLIC COMMENT
128
a. Introduction
129
130
131
132
133
134
135
136
The Cybersecurity and Infrastructure Security Agency (CISA) collects cybersecurity incident
reports related to federal agency information systems, mandatory reports on behalf of certain
federal regulatory agencies, mandatory reports due to contractual requirements, and voluntary
reports from members of the public. This question set, which is authorized by the Federal
Information Security Modernization Act of 2014 (FISMA) and the Homeland Security Act, is
distinct from incident reporting under the Cyber Incident Reporting for Critical Infrastructure
Act (CIRCIA). CISA will use a different information collection instrument for CIRCIA incident
reports after the effective date of CIRCIA implementing regulations.
137
138
139
140
141
142
143
144
145
146
The questions included in this document represent the universe of all possible questions CISA
may use for incident report information collection purposes across the multiple existing incident
reporting use cases; no respondent will be presented all the questions. In the Incident Reporting
Portal respondents will be directed to answer a subset of the questions based on the characteristics
of the reporting entity, the reasons for which they are reporting, and the nature of the incident. The
dynamic design of the Incident Reporting Portal means that the user experience flow from question
to question is driven by the individual respondent’s responses. As described in the next section
CISA has provided design notes to explain the conditional logic which supports the dynamic design;
the conditional logic may change as CISA works to implement the Incident Reporting Portal and is
provided as an example to help the reader understand how questions relate to one another.
147
b. Labels Used
148
149
150
151
152
Throughout this document labels are used to provide context on how conditional logic may
impact the flow from question-to-question, to indicate where certain respondents may be able to
indicate they would like certain data markings applied to their responses to the question, and to
note where additional text may be shown to the respondent in the Incident Reporting Portal to
assist with question comprehension.
153
Conditional Logic Markings:
154
[RA] = Required question for all types of reports
155
156
157
[RR] = Required question for reports identified as necessary to satisfy a regulatory and/or
statutory requirement including Federal Information Security Modernization Act
(FISMA)
158
[RC] = Required question based on an earlier conditional response/selection.
159
160
[FISMA Req] = Required question for reports identified as necessary to satisfy FISMA
reporting requirements.
161
162
[FedRAMP] = Required question for reports identified as necessary to satisfy Federal
Risk and Authorization Management Program (FedRAMP) reporting requirements.
163
[Fed Ctr] = U. S. Government Federal Contractor Only
Page 5 of 120
DRAFT FOR PUBLIC COMMENT
164
[Op] = Optional
165
166
[Op] + [FISMA Req] = Required for FISMA reporters and optional for all other
reporters.
167
168
[Op] + [RR] = Optional for all, except required for regulatory and/or statutory reporting
including FISMA.
169
{Conditional} = Provides additional conditional logic context on some questions.
170
Data Markings:
171
172
173
[C-15] = CISA 2015 data marking option for non-Federal incident reporting. This is not
a default marking but is available for non-Federal reporters if their data meets CISA 2015
data marking criteria, e.g., cyber threat indicators (CTIs).
174
[CUI] = Controlled unclassified information
175
176
177
178
Design and display note markings:
Display notes do not contain questions with which a respondent must engage. Display
notes contain additional explanatory content which may assist a respondent with
responding to a question. The format for these notes is as follows:
179
(DISPLAY NOTE: Light blue and bolded words should be displayed to the reader.)
180
181
182
All Footnotes contained in this document accompany Display Notes and will be presented on the form in a
method determined during the design process for the best display for the reader. These methods could be a
combination of “pop-ups”, on form notes, “hover-over” notes, etc.
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
Design notes are intended to enable the developers of the Incident Reporting Portal and
reviewers of the question understand the conditional logic which may direct a respondent
from one question to the appropriate next question based on their input. The flow from
question-to-question will continue to be under development as CISA incorporates
feedback from reviewers. However, since it is critical to communicate that no respondent
will answer all the questions contained herein, we wanted to provide this conditional
logic to support reviewers’ understanding of how the dynamic form may work. The
format for these notes is as follows:
(DESIGN NOTE: Black and bolded words are for the developers only and should not be displayed to
the readers.)
c. Beginning of Incident Reporting Questions
(DISPLAY NOTE: Global Disclaimer: Please fill out all questions in this form to the best of your knowledge at the time of
submission.)
d. Report Type
Page 6 of 120
DRAFT FOR PUBLIC COMMENT
199
200
201
202
203
FOR ALL REPORTERS
1. [RA] What type of report do you want to submit?
A. Initial report
B. Supplemental/update report
C. Post-incident report 1
0F
e. Report Reason
204
2. [RA] Why are you reporting? (DESIGN NOTE: Single select)
A. Voluntarily reporting a cyber incident (select one) (DESIGN NOTE: If voluntary is
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
selected, display the two following types of voluntary reporting and single select)
1. Are you voluntarily reporting an incident for an individual (yourself or
another person)?
2. Are you voluntarily reporting an incident for an entity (a company,
organization 2, etc.)?
B. Reporting to satisfy a regulatory, statutory, and/or contractual requirement
1F
(DISPLAY NOTE: If you are a third party completing the incident report on behalf of the affected entity,
please be aware that we ask for details about the affected organization first and will gather your details
later in the process.)
3. {Conditional on selecting “2.B” above}[RR] Please identify the regulatory, statutory,
and/or contractual requirement you are intending to satisfy with this report from the
list below. (DESIGN NOTE: Multi select) (DESIGN NOTE: This question does not apply to “voluntary”
identified reports)
(DISPLAY NOTE: To the extent that a reporting requirement provides that reporting to CISA is a means
of compliance, you must indicate the specific requirement below to be considered as reporting under that
requirement.)
A. Cybersecurity and Infrastructure Security Agency (CISA)
1. Federal Information Security Modernization Act of 2014 (FISMA 2014)
a. Please select the appropriate report reason:
1. Cyber incident
2. Unauthorized release and/or loss of agency information
(including personally identifiable information) unrelated to a
cybersecurity incident
B. Federal Energy Regulatory Commission (FERC)/ North American Electric
Reliability Corporation (NERC)
1
Post Incident “Stage” [Report]: Report submitted at the conclusion of the incident after all recovery efforts have been
completed (or at a minimum, completed efforts have been accepted by the impacted entity as sufficient). The post incident report
includes information referenced in CISA’s Incident Response Playbook, such as documenting lessons learned. For Federal
Civilian Executive Branch reporters, this post incident report is due no later than 7 days after incident resolution.
Organization: [FIPS 200, https://doi.org/10.6028/NIST.FIPS.200] An entity of any size, complexity, or positioning
within an organizational structure, including federal agencies, private enterprises, academic institutions, state, local,
or tribal governments, or, as appropriate, any of their operational elements.
2
Page 7 of 120
DRAFT FOR PUBLIC COMMENT
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
1. Critical Infrastructure Protection Reliability Standards CIP-003-8 (Cyber
Security Management Controls) and CIP-008-6 (Cyber Security – Incident
Reporting and Response Planning)
C. Federal Risk and Authorization Management Program (FedRAMP)
1. Please select the appropriate report reason:
a. Cyber incident
b. Unauthorized release and/or loss of agency information (including
personally identifiable information) unrelated to a cybersecurity
incident
D. Nuclear Regulatory Commission
1. Cybersecurity event notifications (10 C.F.R 73.77)
E. Transportation Security Administration (TSA)
1. Security Directives or Information Circulars associated with Surface
Transportation, Rail, Public Transportation and Passenger Railroad
Cybersecurity (SD 1582-21-01 series, SD 1580-21-01 series, and IC 202101, including all amendments and successors)
2. Security Directives or Information Circulars associated with Pipeline
Cybersecurity (SD Pipeline 2021-01 series and IC Pipeline 2022-01,
including all amendments and successors)
3. (DESIGN NOTE: Placeholder for aviation citations, details TBD)
a. Airport Security Program (ASP)
b. Aircraft Operator Standard Security Program (AOSSP)
c. Full All-Cargo Aircraft Operator Standard Security Program
(FACAOSSP)
d. Twelve-Five Standard Security Program (TFSSP)
e. Private Charter Standard Security Program (PCSSP)
f. Indirect Air Carrier Standard Security Program (IACSSP)
g. Certified Cargo Screening Standard Security Program (CCSSP)
F. U.S. Coast Guard (USCG)
1. Suspicious activity, breaches of security, or transportation security incidents
(33 C.F.R 101.305 and 33 C.F.R. 6.16)
G. Reserved entity for future if necessary {PRA placeholder}
1. Reserved statute, regulation, or contractual requirement
a. Please select the appropriate report reason:
1. (DESIGN NOTE: “report reason” List)
Page 8 of 120
DRAFT FOR PUBLIC COMMENT
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
H. Other (DISPLAY NOTE: Reporters selecting this option are responsible for confirming that the
listed agency and statute/regulation/contract permit reporting to CISA as a means of compliance with
that agency’s reporting requirements.)
1. Agency [describe] (DESIGN NOTE: Open text)
2. Statute, regulation, or contract clause [describe] (DESIGN NOTE: Open text)
f. Contact Information of Reporter:
4. [CUI][RA] Please provide your name and contact information
A. [CUI]Name
1. First
2. Last
B. [CUI] Phone number(s)
1. Preferred
2. Alternate
C. [CUI] Email address(es)
1. Preferred
2. Alternate
D. [CUI] Social media profile (Optional)
1. Primary social media handle or username?
2. Enter the corresponding social media platform
E. Job title
F. Which time zone are you in?
5. [CUI][RA] Are you the primary point of contact for this incident? (Yes/No)
A. [CUI][RC] (DESIGN NOTE: If No) Please provide the primary point of contact name
and contact information
1. [CUI]Name
a. First
b. Last
2. [CUI]Phone number(s)
a. Preferred
b. Alternate
3. [CUI]Email address(es) of point of contact
a. Preferred
b. Alternate
4. [CUI] Social media profile (Optional)
a. Primary social media handle or username?
b. Enter the corresponding social media platform
5. Job title
6. Which time zone are they in?
Page 9 of 120
DRAFT FOR PUBLIC COMMENT
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
6. [RA] Are we able to contact the primary point of contact for clarification or
additional information not provided in this report? (Yes/No)
A. [RC] If yes,
1. What time, in your local time zone, is the best time to reach you (and/or the
primary point of contact)?
2. What day of the week is best for us to reach out to the primary point of
contact?
3. What is the primary point of contact’s preferred method of contact? (DESIGN
NOTE: Multi select) (Select all that apply) Phone, Email, Other [Describe])
(DESIGN NOTE: Open Text)
7.
[RA] Do you work for the affected entity?
A. Not applicable, I am an individual, self-reporting an incident affecting me.
B. Yes
C. Yes, I am a third party and have been expressly authorized to report on the
affected entity’s behalf (law firm, incident response firm, etc.) (DESIGN NOTE:
Produce this “display note” upon condition the reporter is also reporting pursuant to a reporting
requirement >> DISPLAY NOTE: If a third party is submitting a report on behalf of the impacted
entity to satisfy another legally required reporting requirement, (1) the third-party submitter must be
expressly authorized by the impacted entity to submit reports on its behalf and (2) the other reporting
requirement must allow for third-party submission of reports. CISA will not verify whether thirdparty submission of a report fully satisfies other legal reporting requirements on behalf of an impacted
entity.)
1. [CUI]Please provide the contact information for the person at the impacted
entity who expressly authorized you to report on the entity’s behalf.
a. [CUI]Name
1. First
2. Last
b. [CUI]Phone number(s)
1. Preferred
2. Alternate
c. [CUI] Email address(es) of point of contact
1. Preferred
2. Alternate
d. Job title
D. No, I am a third party and do not have the consent and/or have not been expressly
authorized to report on the affected entity’s behalf (law firm, incident response
firm, etc.) (DISPLAY NOTE: If a third party is submitting a report on behalf of the impacted entity
without consent and/or authorization, this incident will be validated between the impacted entity and
CISA. )
Page 10 of 120
DRAFT FOR PUBLIC COMMENT
g. Impacted Entity Demographics
355
8. [RA] What is the affected entity type?
A. Private sector (including U.S. Government contractors)
B. U.S. Federal Government agency
C. U.S. State, Local, Tribal, or Territorial (SLTT) entity
D. Foreign government entity
E. Civil society
F. Other [describe]
9. [RC] (DESIGN NOTE: Applies to only “Private sector” or “Other” selection, except those private sectors
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
that have indicated reporting for a regulatory, statutory, and/or contractual requirement intending to
satisfy FISMA and or FedRAMP, then those reporters are directed to Q13 as U.S. Government contractors)
Private Sector and Other (DESIGN NOTE: Display the description indicated in Q 8.F “Other”
here if applicable) – Impacted Entity Demographics
A. Please provide the name of the affected entity. (Please spell out any acronyms.)
1. Is the affected entity a subsidiary of a larger entity? (Yes/No) (DESIGN NOTE:
If Yes) Provide the name of the larger/parent entity
B. Is the affected entity operating in a critical infrastructure sector 3? (Yes/No)
1. {Conditional to “Voluntary” report AND “Yes” to “operating a critical
infrastructure” AND "Entity Type" is not "Federal Government"} (DESIGN
2F
NOTE: If this is flagged as a “voluntary” report and “yes” as operating a critical infrastructure
and NOT a "Federal Government entity" then the following Protected Critical Infrastructure
Information (PCII)conditions must be met and asked of the reporter) You
have indicated
your entity operates in a critical infrastructure sector and is also submitting
this report on a voluntary basis. So that your report can be evaluated for
protections afforded under the Protected Critical Infrastructure Information
(PCII) Program 4, do you consider the information you are sharing to meet
any of the following conditions? Select “Yes” if any of the following
conditions are true. (Yes/No)
a. Is the information, not customarily in the public domain and
related to the security of critical infrastructure or protected
systems, including documents, records, communication networks,
or other information concerning:
1. Actual, potential, or threatened interference with, attack on,
compromise or incapacitation of critical infrastructure or
protected systems by either physical or computer-based attack
or other similar conduct that violates Federal, State, local,
tribal, or territorial laws, harms interstate commerce of the
United States, or threatens public health or safety.
3F
https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
PCII Program - Frequently Asked Questions | CISA (https://www.cisa.gov/resources-tools/programs/protectedcritical-infrastructure-information-pcii-program/pcii-program-frequently-asked-questions)
3
4
Page 11 of 120
DRAFT FOR PUBLIC COMMENT
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
2. The ability of any critical infrastructure or protected system to
prevent such interference, compromise, or incapacitation;
including any planned or past assessment, projection, or
estimate of the vulnerability of critical infrastructure or a
protected system, including security testing, risk evaluation
thereto, risk management planning, or risk audit.
3. Any planned or past operational problem or solution regarding
critical infrastructure or protected systems, including repair,
recovery, reconstruction, insurance, or continuity, to the
extent it is related to such interference, compromise, or
incapacitation.
b. (DESIGN NOTE: If Yes: DISPLAY NOTE: Thank you. Your submission will be
evaluated to ensure it meets the PCII program requirements. Once evaluated and
requirements are validated, in order for the PCII protections to be afforded to you
for this report you will need to complete and return the “Express and Consent”
statement that CISA will send to you via the email contact information you provided
in this form. (DISPLAY NOTE: To learn more about the benefits the PCII
program affords qualified submissions please visit, https://www.cisa.gov/resourcestools/programs/protected-critical-infrastructure-information-pcii-program/pciiprogram-frequently-asked-questions.))
1. If you do not wish to have your submission evaluated as a
PCII submission, please check this box [ ]
c. (DESIGN NOTE: If No: (DISPLAY NOTE: Thank you. Your submission does not
2.
seem to meet the conditions to qualify as protected critical infrastructure
information. You may now continue with the rest of the form.)
Please select the primary critical infrastructure sector
that is impacted by/involved in this incident. If possible, also select the
appropriate critical infrastructure-subsector. (DESIGN NOTE: See Appendix 4 for
(DESIGN NOTE: If Yes)
complete critical infrastructure sector and subsector list.)
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.
n.
Chemical
Commercial Facilities
Communications
Critical Manufacturing
Dams
Defense Industrial Base
Emergency Services
Energy
Financial Services
Food and Agriculture
Government Facilities
Healthcare and Public Health
Information Technology
Nuclear Reactors, Materials, and Waste
Page 12 of 120
DRAFT FOR PUBLIC COMMENT
o. Transportation Systems
p. Water and Wastewater Systems
q. Unsure
3. (DESIGN NOTE: If Yes) Of the 16 listed critical infrastructure sectors, are there
any additional critical infrastructure sector(s) with which your organization
aligns that were also impacted by the incident? (Yes/No) (DESIGN NOTE: If Yes,
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
Present list of critical infrastructure again and flag as “secondary” critical infrastructure (allow
multi select, but all will be flagged as “secondary”)) Please
select the secondary critical
infrastructure sector(s) that is(are) impacted by this incident. If possible, also
select the appropriate critical infrastructure critical infrastructure subsector.
(DESIGN NOTE: See Appendix 4 for complete critical infrastructure sector and subsector list.)
10. [RC] (DESIGN NOTE: Applies to only “U.S. Federal Government agency” selection) U.S. Federal
Government agency – Impacted Entity Demographics
A. Please provide the Federal agency name (DESIGN NOTE: Select from list in Appendix 5) 5
1. Please select your sub-agency below after selecting your parent agency (if
applicable)(DESIGN NOTE: Select from list in Appendix 5) 6)
B. We understand all incidents occurring at federal agencies impact the Government
facilities critical infrastructure sector 7 and it is therefore selected as your primary
critical infrastructure. However, are there any additional critical infrastructure
sector(s) impacted by the incident occurring at your agency? Please select all that
apply. If applicable, also select the appropriate critical infrastructure-subsector.
4F
5F
6F
(DESIGN NOTE: See Appendix 4 for complete critical infrastructure sector and subsector list.
Primary critical infrastructure sector can only be entered once.) (DESIGN NOTE: Flag all Federal
Gov entities as “Government facilities” for prime critical infrastructure sector, then allow for one-tomany secondary critical infrastructure sectors and sub sectors)
1. Chemical
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Defense Industrial Base
7. Emergency Services
8. Energy
9. Financial Services
10. Food and Agriculture
11. Government Facilities
5
Use CISA data standards where applicable (Office of the Chief Information Officer - Active Data Standards - All
Items (sharepoint.com)
6
Use CISA data standards where applicable (Office of the Chief Information Officer - Active Data Standards - All
Items (sharepoint.com)
7
https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
Page 13 of 120
DRAFT FOR PUBLIC COMMENT
12. Healthcare and Public Health
13. Information Technology
14. Nuclear Reactors, Materials, and Waste
15. Transportation Systems
16. Water and Wastewater Systems
17. Unsure
C. Of the 16 listed critical infrastructure sectors, are there any additional critical
infrastructure sector(s) with which your organization aligns that were also
impacted by the incident? (Yes/No) (DESIGN NOTE: If Yes, Present list of critical
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
infrastructure again and flag as “Secondary” critical infrastructure (allow multi select, but all will be
flagged as “Secondary”)). Please
select the secondary critical infrastructure sector(s)
that is(are) impacted by this incident. If applicable, also select the appropriate
critical infrastructure-subsector. (DESIGN NOTE: See Appendix 4 for complete critical
infrastructure Sector and subsector list.)
11. [RC] (DESIGN NOTE: Applies to only “U.S. State, local, tribal, or territorial (SLTT) entity” selection)
U.S. State, Local, Tribal, or Territorial (SLTT) Entity– Impacted Entity
Demographics
A. Please provide details about the impacted State, local, tribal, or territorial (SLTT)
entity. Select from one of the below SLTT options: (DESIGN NOTE: Single select)
1. [ ] State or territory
a. Please provide the impacted entity’s name (spell out any
acronyms)
b. Please select your state or territory below (DESIGN NOTE: Select from
list) 8
7F
2. [ ] Local
a. Please describe your local administrative division (e.g., city,
district, county, township, municipality) and the U.S. state or
territory your local administrative division is part of:
1. Please provide the impacted entity’s name (spell out any
acronyms)
498
499
500
501
502
503
2. Please select the associated state or territory below (DESIGN
504
505
506
507
508
509
NOTE: Select from list) 9
8F
3. [ ] Tribal
a. Tribal governments or communities, please indicate your tribe’s
name and any U.S. states and/or territories where the tribe is
physically located.
Use CISA data standards where applicable (Office of the Chief Information Officer - Active Data Standards - All
Items (sharepoint.com)
9
Use CISA data standards where applicable (Office of the Chief Information Officer - Active Data Standards - All
Items (sharepoint.com)
8
Page 14 of 120
DRAFT FOR PUBLIC COMMENT
1. Please provide the impacted entity’s name
2. Please provide the associated U.S. states or territories for
reference
i.
Please select the associated states or territories below
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
(DESIGN NOTE: Select from list) 10 (DESIGN NOTE: Allow more than
one entry as a tribe maybe physically spread across several states and
regions)
9F
B. Is the impacted SLTT Entity in a critical infrastructure sector? 11 (Yes/No)
1. {Conditional to “voluntary” report AND “Yes” to “operating a critical
infrastructure” AND "entity type" is not "Federal Government"} (DESIGN
10F
NOTE: If this is flagged as a “voluntary” report and “Yes” as operating a critical infrastructure
and NOT a "Federal Government entity" then the following PCII conditions must be met and
asked of the reporter) You
have indicated your entity operates in a critical
infrastructure critical infrastructure sector and is also submitting this report
on a voluntary basis. So that your report can be evaluated for protections
afforded under the Protected Critical Infrastructure Information (PCII)
Program 12, do you consider the information you are sharing to meet any of
the following conditions? Select “Yes” if any of the following conditions are
true. (Yes/No)
a. Is the information, not customarily in the public domain and
related to the security of critical infrastructure or protected
systems, including documents, records, communication networks,
or other information concerning:
1. Actual, potential, or threatened interference with, attack on,
compromise or incapacitation of critical infrastructure or
protected systems by either physical or computer-based attack
or other similar conduct that violates Federal, State, local,
tribal, territorial laws, harms interstate commerce of the
United States, or threatens public health or safety.
2. The ability of any critical infrastructure or protected system to
prevent such interference, compromise, or incapacitation;
including any planned or past assessment, projection, or
estimate of the vulnerability of critical infrastructure or a
protected system, including security testing, risk evaluation
thereto, risk management planning, or risk audit.
3. Any planned or past operational problem or solution regarding
critical infrastructure or protected systems, including repair,
11F
Use CISA data standards where applicable (Office of the Chief Information Officer - Active Data Standards - All
Items (sharepoint.com)
11
https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
12
PCII Program - Frequently Asked Questions | CISA (https://www.cisa.gov/resources-tools/programs/protectedcritical-infrastructure-information-pcii-program/pcii-program-frequently-asked-questions)
10
Page 15 of 120
DRAFT FOR PUBLIC COMMENT
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
recovery, reconstruction, insurance, or continuity, to the
extent it is related to such interference, compromise, or
incapacitation.
b. (DESIGN NOTE: If Yes: DISPLAY NOTE: Thank you. Your submission will be
evaluated to ensure it meets the PCII program requirements. Once it is evaluated
and requirements are validated, you will need to complete and return the “Express
and Consent” statement that CISA will send to you via the email contact
information you provided in this form in order for the PCII protections to be
afforded to you for this report. (DISPLAY NOTE: To learn more about the benefits
the PCII program affords qualified submissions please visit,
"https://www.cisa.gov/resources-tools/programs/protected-critical-infrastructureinformation-pcii-program/pcii-program-frequently-asked-questions".))
1. If you do not wish to have your submission evaluated as a
PCII submission, please check this box [ ]
c. (DESIGN NOTE: If No: (DISPLAY NOTE: Thank you. Your submission does not
2.
seem to meet the conditions to qualify as protected critical infrastructure
information. You may now continue with the rest of the form.)
Please select the primary critical infrastructure sector
that is impacted by this incident. If applicable, also select the appropriate
critical infrastructure-subsector. (DESIGN NOTE: See Appendix 4 for complete critical
(DESIGN NOTE: If Yes)
infrastructure Sector and subsector list. Primary critical infrastructure Sector can only be
entered once.)
1. Chemical
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Defense Industrial Base
7. Emergency Services
8. Energy
9. Financial Services
10. Food and Agriculture
11. Government Facilities
12. Healthcare and Public Health
13. Information Technology
14. Nuclear Reactors, Materials, and Waste
15. Transportation Systems
16. Water and Wastewater Systems
3. (DESIGN NOTE: If Yes) Of the 16 listed critical infrastructure sectors, are there
any additional critical infrastructure sector(s) with which your entity aligns
that were also impacted by the incident? (Yes/No) (DESIGN NOTE: If Yes, present
list of critical infrastructures again and flag as “secondary” critical infrastructure (allow multi
select, but all will be flagged as “secondary”) Please
select the secondary critical
infrastructure sector(s) that is(are) impacted by this incident. If applicable,
Page 16 of 120
DRAFT FOR PUBLIC COMMENT
also select the appropriate critical infrastructure subsector. (DESIGN NOTE: See
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
Appendix 4 for complete critical infrastructure Sector and Subsector list.)
12. [RC] (DESIGN NOTE: Applies to only “Foreign Government Entity” selection) Foreign
Government Entity – Impacted Entity Demographics
A. Please provide details about the impacted foreign entity
1. Please select your country below (select from list) 13
2. Please provide the impacted entity’s name (spell out any acronyms)
3. Is your entity a computer security incident response team (CSIRT)? (Yes/No)
a. (DESIGN NOTE: If Yes, show question) Please enter the name of the
CSIRT (DESIGN NOTE: Open text)
B. Is the impacted entity in a critical infrastructure sector 14 (based on U.S.
designation) (Yes/No)
a. (DESIGN NOTE: If Yes) Please select the primary critical infrastructure
sector that is impacted by this incident. If applicable, also select
the appropriate critical infrastructure-subsector. (DESIGN NOTE: See
12F
13F
Appendix 4 for complete critical infrastructure sector and subsector list. Primary
critical infrastructure sector can only be entered once.)
1. Chemical
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Defense Industrial Base
7. Emergency Services
8. Energy
9. Financial Services
10. Food and Agriculture
11. Government Facilities
12. Healthcare and Public Health
13. Information Technology
14. Nuclear Reactors, Materials, and Waste
15. Transportation Systems
16. Water and Wastewater Systems
17. Unsure
b. (DESIGN NOTE: If Yes) Of the 16 listed critical infrastructure sectors,
are there any additional critical infrastructure sector(s) with which
your entity aligns that were also impacted by the incident?
Use CISA data standards where applicable (Office of the Chief Information Officer - Active Data Standards - All
Items (sharepoint.com)
14
https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
13
Page 17 of 120
DRAFT FOR PUBLIC COMMENT
(Yes/No/Unsure) (DESIGN NOTE: If Yes, present list of critical
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
infrastructures again and flag as “secondary” critical infrastructure (allow multi
select, but all will be flagged as “secondary”) Please
select the secondary
critical infrastructure sector(s) impacted by this incident. If
applicable, also select the appropriate critical infrastructuresubsector. (DESIGN NOTE: See Appendix 4 for complete critical infrastructure
sector and subsector list.)
13. [RC] (DESIGN NOTE: applies to only “FISMA and/or FEDRAMP” regulatory selection plus “private
sector” organization type “aka entity is a U.S. Federal Government contractor”) U.S. Federal
Government Contractor – Impacted Entity Demographics
A. Please provide the impacted Federal agency you are supporting (DESIGN NOTE:
Select from list in Appendix 5) 15
14F
1. Please select the sub-agency below, if applicable) (DESIGN NOTE: Select from list
in Appendix 5) 16
15F
B. We understand that all incidents occurring at federal agencies impact the
government facilities critical infrastructure sector and have therefore selected it as
your primary critical infrastructure sector. Are there any additional critical
infrastructure sector(s) impacted by the incident occurring at your agency? Please
select all that apply. If applicable, also select the appropriate critical
infrastructure-subsector.
a. (DESIGN NOTE: See Appendix 4 for complete critical infrastructure sector and
subsector list. Primary critical infrastructure sector can only be entered once.)
(DESIGN NOTE: Flag all Federal Gov entities as “government facilities” as their
prime critical infrastructure sector, then allow for one-to-many secondary critical
infrastructure sectors and sub sectors.)
1. Chemical
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Defense Industrial Base
7. Emergency Services
8. Energy
9. Financial Services
10. Food and Agriculture
11. Government Facilities
12. Healthcare and Public Health
13. Information Technology
14. Nuclear Reactors, Materials, and Waste
Use CISA data standards where applicable (Office of the Chief Information Officer - Active Data Standards - All
Items (sharepoint.com)
16
Use CISA data standards where applicable (Office of the Chief Information Officer - Active Data Standards - All
Items (sharepoint.com)
15
Page 18 of 120
DRAFT FOR PUBLIC COMMENT
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
15. Transportation Systems
16. Water and Wastewater Systems
17. Unsure
b. Of the 16 listed critical infrastructure sectors, are there any
additional critical infrastructure sector(s) with which your
organization aligns that were also impacted by the incident?
(Yes/No/Unsure) (DESIGN NOTE: If Yes, Present list of critical
infrastructures again and flag as “secondary” critical infrastructure (allow multi
select, but all will be flagged as “secondary”) Please
select the secondary
critical infrastructure sector(s) impacted by this incident. If
applicable, also select the appropriate critical infrastructuresubsector. (DESIGN NOTE: See Appendix 4 for complete critical infrastructure
sector and subsector list.)
C. [Fed Ctr] Please enter the contract number(s), clearance level (contract and
facility), and prime contractor information and points of contact that correspond
to the primary contract impacted by or involved in this incident. (DESIGN NOTE:
Allow one to many entries) (DESIGN NOTE: Allow “button” to add to the contract list if necessary
and repeat the following as necessary for each contract entered)
1. Contract number(s)
2. Contract or other agreement clearance level
a. Unclassified
b. Confidential
c. Secret
d. Top Secret
e. Not Applicable
3. [Fed Ctr] Has the impacted entity been granted a facility security clearance?
(Yes/No)
a. (DESIGN NOTE: If Yes) [Fed Ctr] What is the facility clearance level
(FCL) of the impacted entity?
1. Unclassified
2. Confidential
3. Secret
4. Top Secret (may or may not include Sensitive Compartmented
Information)
5. Not applicable
4. [Fed Ctr] Are you the prime contractor under this contract? (Yes/No)
a. (DESIGN NOTE: If No) Please provide the prime contractor point of
contact
1. Name
i.
First
ii. Last
Page 19 of 120
DRAFT FOR PUBLIC COMMENT
2.
3.
4.
5.
Phone number(s)
Email address(es)
Position/title
Address
i.
Street name and number
ii. Postal code
iii. City
iv.
State
v.
Country
vi.
Time zone
5. [Fed Ctr] Please provide your US government contracting point(s) of contact
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
(DISPLAY NOTE: Examples of possible US government contracting points of contact are
typically the Contracting Officer (CO), Contracting Officer Representative (COR), US
Government Administrative Contracting Officer (ACO) 17 and US Government Program
Manager (PM).) (DESIGN NOTE: Allow for more than one entry)
16F
a. Name
1. First
2. Last
b. Phone number(s)
c. Email address(es)
d. Position/title 18 (e.g., CO, COR, ACO, PM) (DESIGN NOTE: Provide
17F
“dropdown list” to select from example list, allow “OTHER” with a fill-in
description)
e. Address
1. Street name and number
2. Postal code
3. City
4. State
5. Country
6. Time zone
14. [RC] (DESIGN Note: Applies to only “civil society” selection) Civil Society – Impacted Entity
Demographics
A. Please provide details about the impacted civil society entity
48 CFR § 842.271 - Administrative Contracting Officer's role in contract administration and delegated functions. |
Electronic Code of Federal Regulations (e-CFR) | US Law | LII / Legal Information Institute (cornell.edu
18
DESIGN NOTE: for each Position selected provide “DISPLAY NOTE” as appropriate:
CO – person who has authority over the contract and ability to direct contractor activities; COR - POCs could be a
federal employee who has authority and ability to direct contractor activities; ACO - Unless you are supporting the
VA or DOD it is unlikely that you have an ACO; PM – person overseeing the technical effort and has the authority
to direct contractor activities.)
17
Page 20 of 120
DRAFT FOR PUBLIC COMMENT
1. Please describe your organization's sector within civil society (e.g.,
academia, faith-based, think tank, media, advocacy, political party, labor
union) (DESIGN NOTE: Open text)
2. Please enter the civil society entity’s name (spell out any acronyms)
B. Are there any critical infrastructure (critical infrastructure) sector(s) 19 directly
impacted by the incident that occurred/is occurring at your organization?
(Yes/No)
1. {Conditional to “voluntary” report AND “Yes” to “operating a critical
infrastructure” AND "entity type" is not "Federal Government"} (DESIGN
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
18F
NOTE: If this is flagged as a “voluntary” report and “Yes” as operating a critical infrastructure
and NOT a "Federal Government entity" then the following PCII conditions must be met and
asked of the reporter) You
have indicated your entity directly impacts a critical
infrastructure sector and is also submitting this report on a voluntary basis.
So that your report can be evaluated for protections afforded under the
Protected Critical Infrastructure Information (PCII) Program 20, do you
consider the information you are sharing to meet any of the following
conditions? Select “Yes” if any of the following conditions are true.
(Yes/No)
a. Is the information, not customarily in the public domain and
related to the security of critical infrastructure or protected
systems, including documents, records, communication networks,
or other information concerning:
1. Actual, potential, or threatened interference with, attack on,
compromise or incapacitation of critical infrastructure or
protected systems by either physical or computer-based attack
or other similar conduct that violates Federal, State, local,
tribal, territorial laws, harms interstate commerce of the
United States, or threatens public health or safety.
2. The ability of any critical infrastructure or protected system to
prevent such interference, compromise, or incapacitation;
including any planned or past assessment, projection, or
estimate of the vulnerability of critical infrastructure or a
protected system, including security testing, risk evaluation
thereto, risk management planning, or risk audit.
3. Any planned or past operational problem or solution regarding
critical infrastructure or protected systems, including repair,
recovery, reconstruction, insurance, or continuity, to the
19F
https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
PCII Program - Frequently Asked Questions | CISA (https://www.cisa.gov/resources-tools/programs/protectedcritical-infrastructure-information-pcii-program/pcii-program-frequently-asked-questions)
19
20
Page 21 of 120
DRAFT FOR PUBLIC COMMENT
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
extent it is related to such interference, compromise, or
incapacitation.
b. (DESIGN NOTE: If Yes: DISPLAY NOTE: Thank you. Your submission will be
evaluated to ensure it meets the PCII program requirements. Once it is evaluated
and requirements are validated, you will need to complete and return the “Express
and Consent” statement that CISA will send to you via the email contact
information you provided in this form in order for the PCII protections to be
afforded to you for this report. (DISPLAY NOTE: To learn more about the benefits
the PCII program affords qualified submissions please visit,
"https://www.cisa.gov/resources-tools/programs/protected-critical-infrastructureinformation-pcii-program/pcii-program-frequently-asked-questions".))
1. If you do not wish to have your submission evaluated as a
PCII submission, please check this box [ ]
c. (DESIGN NOTE: If No: (DISPLAY NOTE: Thank you. Your submission does not
seem to qualify as protected critical infrastructure information. You may now
continue with the rest of the form.)
2.
(DESIGN NOTE: If Yes) Please
select all critical infrastructure sectors impacted
by this incident. If applicable, also select the appropriate critical
infrastructure-subsector. (DESIGN NOTE: Multi select) (DESIGN NOTE: See Appendix 4
for complete critical infrastructure sector and subsector list.)
a. Chemical
b. Commercial Facilities
c. Communications
d. Critical Manufacturing
e. Dams
f. Defense Industrial Base
g. Emergency Services
h. Energy
i. Financial Services
j. Food and Agriculture
k. Government Facilities
l. Healthcare and Public Health
m. Information Technology
n. Nuclear Reactors, Materials, and Waste
o. Transportation Systems
p. Water and Wastewater Systems
q. Unsure
15. [Op] + [FISMA Req] What is the primary website of the impacted entity?
16. [Op] + [FISMA Req] Please enter the impacted entity’s internal tracking number(s)
related to this incident, (e.g. case number), if applicable. (DESIGN NOTE: if “N/A” is
selected, internal tracking number can be blank)
Page 22 of 120
DRAFT FOR PUBLIC COMMENT
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
A. Not applicable (DESIGN NOTE: Radio button)
B. Internal tracking number(s) (DESIGN NOTE: Text box)
17. [Op] + [RR] If applicable, provide the primary location and/or facility address where
this incident or event occurred. (If applicable, you can also add secondary locations).
A. (DESIGN NOTE: Allow one to many entries. Flag all but first entry as “secondary” addresses of the
853
854
855
856
857
858
859
860
861
C. Has the incident occurred on or involved a movable entity (e.g., ship, aircraft,
train)? (Yes/No)
1. (DESIGN NOTE: If Yes) Please describe the entity that was involved in this
incident. (DESIGN NOTE: Open text)
18. [Op] + [RR] Please provide the following information about the impacted
organization. (Answer for the impacted entity and not the parent entity.)
A. Do you know if the impacted entity that owns and/or operates the facility(ies)
where the incident occurred has any unique government or business
identifiers (e.g. North American Industrial Classification System (NAICS),
impacted entity.)
1. Not applicable (DESIGN NOTE: Radio button - Allow to bypass “address info” if not
applicable is selected)
2. Name of primary (secondary if applicable) location (e.g., building name,
pipeline designation, data center, shipping port, airport, telecom site, etc.) if
applicable. (DESIGN NOTE: Open text and allow “not applicable” as selection option for
name. Also, either address info should be entered, or the latitude and longitude of the location
should be entered. both could be allowed, but at least one location designation should be
required)
3. Street name and number
4. City
5. State
6. Postal code
7. Country 21
B. If the incident occurred in a location without a known address, please provide the
coordinates (latitude and longitude) to the best of your ability for the location of
the incident. (DISPLAY NOTE: Many critical infrastructure sector facilities, such as cellular
20F
towers in the communications sector or offshore oil platforms in the oil and natural gas (ONG)
subsector, do not have street addresses. Understanding the geographic location can help CISA identify
a potential targeting effort by an adversary.) (DESIGN NOTE: Include an option to enter latitude and
longitude with guidance on how to use Google Maps to quickly find the coordinates.)
1. Not applicable (DESIGN NOTE: Radio button - Allow to bypass “latitude and longitude
info” if not applicable is selected)
2. Latitude
3. Longitude
Use CISA data standards where applicable (Office of the Chief Information Officer - Active Data Standards - All
Items (sharepoint.com)
21
Page 23 of 120
DRAFT FOR PUBLIC COMMENT
862
863
General Services Administration (GSA)-issued Unique Entity Identifier
(UEI))? (Yes/No/Unknown)
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
i. [RC] (DESIGN NOTE: If yes) Please select from the identifier(s) below and
provide their corresponding numbers: (DESIGN NOTE: Multi select).
a. Type of Identifier(s)
1. North American Industrial Classification System (NAICS)
identifier(s)
i.
Identifier number(s) (DESIGN NOTE: Repeated for each identifier
selected)
2. General Services Administration (GSA)-issued Unique Entity
Identifier (UEI)
3. Environmental Protection Agency FacID
4. What are the Commercial and Government Entity (CAGE)
Code(s) for the facility location(s) of the impacted system(s)?
i.
Provide the address of the facility or facilities associated
with the CAGE codes. (DISPLAY NOTE: CAGE codes are
assigned to suppliers to various government or defense agencies, as well
as to government agencies themselves and various organizations. CAGE
codes provide a standardized method of identifying a given facility at a
specific location.)
1. Street name and number
2. Building number (if applicable)
3. Suite number (if applicable)
4. City
5. State
6. Postal code
7. Country 22
Other [please provide the type of identifier]
21F
5.
19. [RC] (DESIGN Note: applies only to “Third Party” selection in “red box”)
892
893
894
895
You indicated you are a third party authorized to report on behalf of the affected
entity. What is the name of your organization? (Please spell out any acronyms)
A. Is your organization a subsidiary of a larger organization? (Yes/No)
Use CISA data standards where applicable (Office of the Chief Information Officer - Active Data Standards - All
Items (sharepoint.com)
22
Page 24 of 120
DRAFT FOR PUBLIC COMMENT
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
1. (DESIGN NOTE: If Yes) Provide the name of the larger/parent organization.
2. What is the preferred email address of the parent organization (e.g.,
[email protected], [email protected])?
3. [Op] What is the primary website of the parent organization?
4. [Op] Please enter the parent organization’s internal tracking number(s)
related to this incident, (e.g., case number), if relevant. (DESIGN NOTE: If “Not
applicable” selected, internal tracking number can be blank)
a. Not applicable (DESIGN NOTE: Radio button)
b. Internal tracking number(s)
B. Please provide the following information about your organization. (Please answer
for your organization and not any parent organization.)
1. What is the preferred email address of your organization?
2. What is the primary website of your organization?
3. [Op] Please enter the your organization’s internal tracking number(s) related
to this incident, (e.g., case number), if relevant. (DESIGN NOTE: If “not applicable”
is selected, internal tracking number can be blank)
a. Not applicable (DESIGN NOTE: Radio button)
b. Internal tracking number(s)
h. Incident Overview
20. [RA] Provide a high-level summary of the incident.
(DESIGN NOTE: Open Text) (DISPLAY
NOTE: Requests for more details will occur later in this report. Please provide a short “executive
summary” of the incident with a narrative of the incident detection. Consider including a description of any
unauthorized access (including whether the incident involved an unattributed cyber intrusion),
identification of any informational impacts or information compromise, any network location where
activity was observed, and a high-level description of the impacted system(s) (e.g., “email servers, a network
firewall, and a web server”).)
21. [RA] When was the incident first detected?
A. Detection date and time (yyyy-mm-dd HH:MM -)
22. [RA] Have you performed any incident response activities (e.g., cyber hunt activities)
to determine the scope and impact of the incident? (Yes/No)
A. {Conditional} [Op] + [FISMA Req] (DESIGN NOTE: If Yes) Please explain and
include any actions already taken as well as intelligence you may have learned to
date (DESIGN NOTE: Open Text)
Incident Category Type Determination
23. [RA] To the best of your knowledge, please select the categories involved in this
incident (DESIGN NOTE: Multi select, then drop down for more refined selections within each main
category, dropdown lists are in Appendix 3.) (DISPLAY NOTE: Select all that apply)
A. Malware [e.g., ransomware, DDOS, etc.]
B. Human (or technology) errors [e.g., loss of equipment, system misconfiguration,
mishandling of sensitive and/or PII documentation, etc.]
Page 25 of 120
DRAFT FOR PUBLIC COMMENT
C. Hacking [e.g., password cracking, SQL injection, cross-site scripting, ‘system’
overflows, etc.]
D. Physical actions/destruction [e.g., sabotage, theft, etc.]
E. Environmental factors [e.g., fire, flood, etc.]
F. Social engineering [e.g., phishing, extortion, spam, etc.]
G. Misuse of assets (sometimes called “insider threats’) [e.g., privilege abuse,
unauthorized hardware/software, etc.]
24. [RA] This incident has led to or resulted in (DESIGN NOTE: Multi select) (DISPLAY NOTE:
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
Select all that apply)
A.
B.
C.
D.
E.
F.
G.
Classified data “spillage” to unapproved networks
Compromised system(s)
Destruction of data or systems (not due to ransomware)
Destruction of data or systems (via ransomware)
Defacement
Equipment loss: loss of control of physical equipment not from theft
Operational technology response functions inhibited (e.g., safety, protection,
quality assurance, and operator intervention functions are prevented from
responding to a failure, hazard, or unsafe state 23)
H. Operational technology process control impaired (e.g., physical control processes
are manipulated, disabled, or damaged 24)
I. Supply chain customer disruption (DISPLAY NOTE: The incident involved one of the
23F
reporting entity’s vendors, with an impact on the reporting entity)
J. Supply chain vendor disruption (DISPLAY NOTE: The incident impacted a system or product
that is supplied by the reporting entity to its customers, with a potential impact to one or more
customer)
K. Unauthorized account access
L. Unauthorized removal of account access (e.g., entity’s system administrator’s
account deleted)
M. Unauthorized information access
N. Unauthorized release of information (virtually via computing systems) 25
24F
Inhibit Response Function, Tactic TA0107 - ICS | MITRE ATT&CK®
Impair Process Control, Tactic TA0106 - ICS | MITRE ATT&CK®
25
Unauthorized release of information “virtually” is an occurrence where a person other than an authorized user
potentially obtains the data, such as by means of a network intrusion, a targeted compromise that exploits website
vulnerabilities, the inadvertent disclosure of information (including PII) via a public website, or a phishing or social
engineering incident executed through an email message or attachment. It may also include an authorized user
obtaining sensitive information (including PII) for other than the authorized purpose. If such an incident involves
personally identifiable information (PII) on a federal system, the unauthorized release is considered a Breach per
OMB – M-17-12. Often, an occurrence may be first identified as an incident, but later identified as a breach once it
is determined that the incident involves PII.
23
24
Page 26 of 120
DRAFT FOR PUBLIC COMMENT
O. Unauthorized release of information (physically via printed documents or
physical media, or orally) 26
P. Unauthorized use of information
Q. Other [describe]
966
967
968
969
25F
i. Incident Notifications
970
25. [RA] Have you already notified or reported this incident to an entity other than CISA
or do you plan to notify or report this incident to an entity other than CISA? (Yes/No)
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
(DISPLAY NOTE: CISA will not use information reported to fulfill any additional legally required
reporting obligations on your or your organization’s behalf. Reporting to CISA only satisfies legally
required reporting requirements to the extent that the reporting requirement explicitly provides that
reporting to or through CISA is a means of compliance.)
A. [CUI]{Conditional} [FISMA Req] (DESIGN NOTE: If Yes) Please list the entities
you
will, or did, report to.
1. Information owners (including information managed by the
affected/reporting entity (e.g., cloud provider), and information owned by the
affected/reporting entity’s customer/client agency (e.g., customer owned
information managed by a contracted 3rd party) (DESIGN NOTE: Repeat the
following for each notification entity selected, can also be more than one entry per category, e.g.,
law enforcement can be local and federal notifications)
a. Entity Details (Design Note: Provide check box to allow the reporter to identify
if this value is the same as the impacted entity’s name. If box is checked, copy the
impacted entity’s name to this variable)
1. Organization Name
2. [CUI]Point of contact name
i.
First
ii. Last
3. Email address(es) of Point of Contact
4. Phone number(s)
b. Already notified: Date and time (yyyy-mm-dd HH:MM -)
c. Plan to notify: Date and approximate time (yyyy-mm-dd HH:MM )
d. Case/incident/report number provided (if applicable)
2. Inspector general (DESIGN NOTE: Repeat the following sub entries “a through d” for each
notification entity selected, other than the information owner. There can also be more than one
entry “a through d” per category, e.g., law enforcement can be local and federal.)
a. Entity Details
Unauthorized release of information “physically” is an occurrence where a person other than an authorized user
potentially obtains the data due to the loss or theft of physical documents that include information (including PII),
portable electronic storage media that stores information (including PII), or an oral disclosure of this sensitive
information (including PII) to a person who is not authorized to receive that information. If such an incident
involves PII on a federal system, the unauthorized release is considered a Breach per OMB – M-17-12. Often, an
occurrence may be first identified as an incident, but later identified as a breach once it is determined that the
incident involves PII, as is often the case with a lost or stolen laptop or electronic storage device. This result
includes improper disposal of sensitive and/or PII documentation in containers that could be accessed by nonauthorized personnel (e.g., information with customer credit card or social security numbers thrown in local
dumpster or lost mail containing PII).
26
Page 27 of 120
DRAFT FOR PUBLIC COMMENT
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
3.
4.
5.
6.
7.
8.
9.
1. Organization Name
2. [CUI]Point of contact name
i.
First
ii. Last
3. Email address(es) of Point of Contact
4. Phone number(s)
b. Already notified: Date and time (yyyy-mm-dd HH:MM -)
c. Plan to notify: Date and approximate time (yyyy-mm-dd HH:MM )
d. Case/incident/report number provided (if applicable)
Legal counsel
Law enforcement
Regulatory agency
Privacy officials
Security staff
System owners
Other (DESIGN NOTE: Repeat the following sub entries a through d for each notification
entity selected, other than the information owner. There can also be more than one entry “a
through d” per category, e.g., law enforcement can be local and federal.)
a. Entity Details
1. Organization Name
2. [CUI]Point of contact name
i.
First
ii. Last
3. Email address(es) of Point of Contact
4. Phone number(s)
5. Position/Title
b. Already notified: Date and time (yyyy-mm-dd HH:MM -)
c. Plan to notify: Date and approximate time (yyyy-mm-dd HH:MM )
d. Case/incident/report number provided (if applicable)
B. [CUI] {Conditional} [FISMA Req] (DESIGN NOTE: If Yes) Have you already, or are
you planning to report this incident to any federal government agency other than
CISA?
1. [If Yes] Which agency? (DESIGN NOTE: Select from agency list in Appendix 5)
a. Entity Details (Design Note: Provide check box to allow the reporter to identify
if this value is the same as the impacted entity’s name. If box is checked, copy the
impacted entity’s name to this variable)
1. Organization Name
2. [CUI]Point of contact name
i.
First
ii. Last
3. Email address(es) of Point of Contact
4. Phone number(s)
Page 28 of 120
DRAFT FOR PUBLIC COMMENT
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
b. Already notified: Date and time (yyyy-mm-dd HH:MM -)
c. Plan to notify: Date and approximate time (yyyy-mm-dd HH:MM )
d. Case/incident/report number provided (if applicable)
C. (DESIGN NOTE: All other reporters not FISMA) [CUI]{Conditional} [Op] (DESIGN NOTE:
If Yes) Please list the entities you will, or did, report to. (DISPLAY NOTE: This
information may be helpful for CISA to understand if there are other entities that CISA may need to
collaborate with or allow for special considerations during any incident response efforts.)
1. Information owners (examples include information managed by
affected/reporting entity (e.g., cloud provider) but owned by
affected/reporting entity’s customer/client) (DESIGN NOTE: Repeat the following for
each notification entity selected, can also be more than one entry per category, e.g., law
enforcement can be local and federal notifications.)
a. Entity Details (Design Note: Provide check box to allow the reporter to identify
if this value is the same as the impacted entity’s name. If box is checked, copy the
impacted entity’s name to this variable)
1. Organization Name
2. [CUI]Point of contact name
i.
First
ii. Last
3. Email address(es) of Point of Contact
4. Phone number(s)
b. Already notified: Date and time (yyyy-mm-dd HH:MM -)
c. Plan to notify: Date and approximate time (yyyy-mm-dd HH:MM )
d. Case/incident/report number provided (if applicable)
2. Law enforcement (DESIGN NOTE: Repeat the following sub entries a through d for each
notification entity selected, other than the information owner. There can also be more than one
entry “a through d” per category, e.g., law enforcement can be local and federal.)
a. Entity Details
1. Organization Name
2. [CUI]Point of contact name
i.
First
ii. Last
3. Email address(es) of Point of Contact
4. Phone number(s)
b. Already notified: Date and time (yyyy-mm-dd HH:MM -)
c. Plan to notify: Date and approximate time (yyyy-mm-dd HH:MM )
d. Case/incident/report number provided (if applicable)
3. Regulatory agency
4. Other federal agencies
a. If selected, which agency? (DESIGN NOTE: Select from agency list in
Appendix 5)
Page 29 of 120
DRAFT FOR PUBLIC COMMENT
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
5. Other (DESIGN NOTE: Repeat the following sub entries a through d for each notification
entity selected, other than the information owner. There can also be more than one entry “a
through d” per category, e.g., law enforcement can be local and federal.)
a. Entity Details
1. Organization Name
2. [CUI]Point of contact name
i.
First
ii. Last
3. Email address(es) of Point of Contact
4. Phone number(s)
5. Position/Title
b. Already notified: Date and time (yyyy-mm-dd HH:MM -)
c. Plan to notify: Date and approximate time (yyyy-mm-dd HH:MM )
d. Case/incident/report number provided (if applicable)
j. Incident: Severity Assessments
Confidentiality, Integrity, Availability (CIA) Assessment 27
26F
26. [RA] (DESIGN NOTE: Logic of all “None” applicable to FISMA reporters – Only. This is an Event-
Incident FLAG for FISMA reporters only. If Q26 A-C are answered “no”, that terminates the rest of the
Incident Questions for a FISMA reporter, and the FISMA reporter is directed towards filling out “Event
this time, is this incident known to either imminently 28 or actually
jeopardize, without lawful authority, any of the following relating to either
information or an information system? (select all that apply) (DESIGN NOTE: For nonReporting” only.) At
27F
FISMA reports, if “unsure/None” selected for all three CIA questions, then DISPLAY NOTE: You have not
indicated an impact on at least one of the three areas of confidentiality, integrity, or availability per the
definition of an incident.)
A. Confidentiality 29 [] imminently; [] actually; [] unsure; [] none (DESIGN NOTE: Have
28F
radio button for all)
27
The concepts of confidentiality, integrity, and availability (CIA), often referred to as the “C-I-A triad,” represent
the three pillars of information security. See, e.g., NIST, NIST Special Publication 1800-25 Vol. A, Data Integrity:
Identifying and Protecting Assets Against Ransomware and Other Destructive Events, at 1 (Dec. 2020), available at
https://csrc.nist.gov/pubs/sp/1800/25/final
28
Imminently: [a. Imminent] "ready to take place; happening soon" or " something bad or dangerous seen as
menacingly near." [b. Imminent danger] "[Such an appearance of threatened and impending injury [could change to
harm to an entity's information or information systems] as would put a reasonable and prudent [person] to his instant
defense." Specifically surrounding networks and data imminently implies there is reasonable suspicion a threat is
going to target my entity's information or information systems. [derived from a. Webster’s Dictionary and b. Black’s
Law Dictionary {respectively}]
29
“Confidentiality” refers to “preserving authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information.” [e.g., threat actor has access to your information
or an information system, without consent.]
Page 30 of 120
DRAFT FOR PUBLIC COMMENT
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
B. Integrity, 30 [] imminently; [] actually; [] unsure; [] none (DESIGN NOTE: Have radio
29F
button for all)
C. Availability 31 [] imminently; [] actually; [] unsure; [] none (DESIGN NOTE: Have
30F
radio button for all)
Violation of Law and Policy
27. [RA] At this time, does this incident constitute an imminent or actual violation of law,
security policies, security procedures, or acceptable use policies? (Yes/No) (DESIGN
NOTE: If Yes) Please make selection(s) below
A. Violation of law [] imminently; [] actually; [] unsure; [] none (DESIGN NOTE: Single
select have radio button for all.)
B. Security policies and/or procedures [] imminently; [] actually; [] unsure; [] none
(DESIGN NOTE: Single select have radio button for all.)
C. Acceptable use policies [] imminently; [] actually; [] unsure; [] none (DESIGN
NOTE: Single select have radio button for all.)
Incident: High-Level Impacts
Public Impacts
National US Impacts
(DESIGN NOTE: Major Incident Flag Questions. Any “Yes” answer here is used to determine if the reporter is
reporting a major incident as defined by FISMA in the next question by adding in “Demonstrable Harm” for
those that selected “Yes” here.)
28. [Op] + [FISMA Req] To the best of your knowledge, does the incident likely impact
any of the following? (Select all that apply)
A. National security interests of the United States
B. Foreign relations of the United States
C. Economy of the United States
D. Public confidence of the American people
E. Civil liberties of the American people
F. Public health and safety of the American people
(DESIGN NOTE: Major Incident - FLAG Questions: For “Q29” question, users should see all options from “Q
28 that they selected., “the incident is likely to result in any impact to” above for which the answer was selected.
This is a distinction for FISMA reports only) (DISPLAY NOTE: Any impacts selected with a “demonstrable
harm” severity, will indicate that the incident is considered a major incident” under FISMA reporting.)
29. [Op] + [FISMA Req] At the time of this report, of the likely impacts of this incident
selected above, are any of them likely to result in demonstrable harm to the United
States? (DISPLAY NOTE: Select those that are likely to result in demonstrable harm.) (DESIGN NOTE:
Skip this question if nothing selected in question 28. Display list containing only the options the user
30
“Integrity” refers to “guarding against improper information modification or destruction and ensuring information
non-repudiation and authenticity.” [e.g., a threat actor has modified or deleted your information, without your
consent.]
31
“Availability” refers to “ensuring timely and reliable access to and use of information.” [e.g., a threat actor has
impeded you from accessing or operating the information system or information in the way you intended (DDOS)]
Page 31 of 120
DRAFT FOR PUBLIC COMMENT
1164
1165
selected in Q28. Provide user a “check box” in Q29 so they can indicate which options represent
“demonstrable harm.”)
Regional Impacts (Local to Global)
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
30. [Op] + [RR] To the best of your knowledge, describe the extent of the incident’s
impact on the population/geographic region
A. Internal/site-specific (Impacts are felt by the impacted entity or a particular
facility or site, but not externally)
B. Local (Impact is limited to entities or customers in the immediate area (e.g., town,
city) external to the core business of the affected entity)
C. State/territory-wide
D. Regional
E. Multi-regional
F. National
G. Multi-national
H. Global
I. Unknown
Breach 32 Severity Impacts
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
31F
31. [Op] + [FISMA Req] At this time, has the incident resulted in any confirmed
unauthorized access to personally identifiable information? (Yes/No) (DESIGN NOTE: If
Yes, flag as Breach Incident and include Incident Stage (A): Breach Details. Show follow-on short questions
“access due” and “accessed by” only if “Yes”.)
A. Was the access due to (select all that apply):
1. Loss of control
2. Compromise
3. Unauthorized disclosure
4. Unauthorized acquisition
B. Was the information accessed by (select all that apply):
1. A person other than an authorized user
2. An authorized user who accessed the personally identifiable information for
an other-than-authorized purpose
32. {Conditional}[Op] + [FISMA Req] (DESIGN NOTE: Do not ask this question if the “Confirmed
Unauthorized Access” question yields a positive selection response. Only ask if previous response to
At this time, has the incident resulted in any potential unauthorized
access to personally identifiable information? (Yes/No) (DESIGN NOTE: If Yes, flag as
“confirmed” = “No”)
Breach Incident and include Incident Stage (A): Breach Details. Show follow-on short questions “access
due” and “accessed by” only if “Yes”.)
A. Was the potential unauthorized access due to: (select all that apply)
Breach: “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar
occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable
information or (2) an authorized user accesses or potentially accesses personally identifiable information for an
other-than-authorized purpose.” per OMB M-17-12
32
Page 32 of 120
DRAFT FOR PUBLIC COMMENT
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1. Loss of control
2. Compromise
3. Unauthorized disclosure
4. Unauthorized acquisition
B. Was the information potentially accessed by (select all that apply)
1. A person other than an authorized user
2. An authorized user who accessed the personally identifiable information for
an other-than-authorized purpose
(DESIGN NOTE: Following responses for Q31 and Q32, if breach severity “confirmed or potential unauthorized
access” = Yes, DISPLAY on “POP UP SCREEN”, display note to reporter: “You have indicated you have had an
actual or potential breach and impacts to PII. You will be given an opportunity to provide more details on the
types of PII impacted later in this report.”)
Major Incident Severity Determination (FISMA Only)
33. [FISMA Req] At the time of this report, did any of the following occur involving
personally identifiable information? (DESIGN NOTE: Major Incident - FLAG Question: Only
appears if Breach Severity “Confirmed or Potential Unauthorized Access” = Yes. If any “100,000” field is
answered yes below, flag as major incident. (DESIGN NOTE: a FISMA major Incident = a significant
cyber incident) (DESIGN NOTE: multi select) (DISPLAY NOTE: Select all that apply)
A. [ ] Unauthorized modification
1. (DESIGN NOTE: If selected display following:)
a. Was this a [ ] potential or [ ] actual occurrence?
b. Did this occurrence or potential occurrence involve the PII of
100,000 or more people? (Y/N)
B. [ ] Unauthorized deletion
1. (DESIGN NOTE: If selected display following:)
a. Was this a [ ] potential or [ ] actual occurrence?
b. Did this occurrence or potential occurrence involve the PII of
100,000 or more people? (Y/N)
C. [ ] Unauthorized exfiltration
1. (DESIGN NOTE: If selected display following:)
a. Was this a [ ] potential or [ ] actual occurrence?
b. Did this occurrence or potential occurrence involve the PII of
100,000 or more people? (Y/N)
D. [ ] Unauthorized access
1. (DESIGN NOTE: If selected display following:)
a. Was this a [ ] potential or [ ] actual occurrence?
b. Did this occurrence or potential occurrence involve the PII of
100,000 or more people? (Y/N)
34. [FISMA Req] At the time of this report, has your answer to any item within the
preceding “major incident severity” questions changed since a previous report?
(Yes/No) (DESIGN NOTE: Only show if “supplemental/update” or “post-incident” report is selected)
A. (DESIGN NOTE: If Yes) Did this change cause the report to (Select one response)
1. [ ] Upgrade to a major incident?
Page 33 of 120
DRAFT FOR PUBLIC COMMENT
1245
1246
1247
1248
1249
1250
1251
a. Please provide additional context for the change
2. [ ] Downgrade from a major incident?
a. Please provide additional context for the change
3. [ ] No change in major incident determination (the incident was either
previously not determined to be a major incident and remains as such, or was
previously determined to be a major incident and remains as such)
a. Please provide additional context
1252
1253
1254
35. [FISMA Req] (DESIGN NOTE: Only asked of FISMA reporters if the incident has been indicated as a
“Major Incident” per thresholds in questions 29 and/or 33.) Has this incident been reported to
Congress? (Yes/No)
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
Public Health and Safety Impacts
36. [Op] + [RR] To the best of your knowledge, what is the current impact of this
incident on public health? (DISPLAY NOTE: Public health impacts are defined as “impacts on an
affected population measured based on new and increased death, disease, injury, and disability.” Impacts to
access to medical care are considered public safety impacts, which are addressed in a later question.)
A. No impact – Incident has no impact on public health
B. Low impact – Incident has resulted in one or more minor injuries and/or
temporary disabilities that have not required emergency response (e.g., minor
symptoms prompting self-care)
C. Moderate impact – Incident has resulted in one or more moderate injuries and/or
lasting disabilities that have required emergency response and/or risk (e.g., easily
treated symptoms or hospital diagnostic visits)
D. High impact – Incident has resulted in one or more serious injuries that have
required emergency response and/or permanent disabilities
E. Critical impact – Incident has resulted in one or more deaths
F. Unknown impact – Reporter does not have information required to assess the
impact of the incident on public health
37. [Op] + [RR] To the best of your knowledge, what is the current impact of this
incident on public safety? (DISPLAY NOTE: Public safety impacts are defined as “Impact measured
based on an affected population’s ability to obtain shelter (e.g., temporary housing, temperature
regulation), healthcare (e.g., emergency response services, open hospital beds), and lifeline resources (e.g.,
clean air and water, nutrition, hydration, communication – phone and internet service) and to maintain
physical safety (e.g., data breaches that threaten individual safety).”)
A. No impact – Incident has no impact on public safety
B. Low impact – Incident has minimal impact on public safety (e.g., limited, short
term disruption of essential services and/or lifeline resources – phone and internet
service, electricity, water)
C. Moderate impact – Incident has more extensive impact on public safety (e.g.,
longer-term disruption of lifeline resources such as phone, internet, electricity,
and water; healthcare and shelter impacts/disruptions from loss of electricity for
extended period)
Page 34 of 120
DRAFT FOR PUBLIC COMMENT
D. High impact – Incident has severe impact on public safety (e.g., evacuation and
temporary housing of displaced communities; immediate threats to physical safety
of the public; extended disruption of essential services; stress on healthcare
resources; water and air contamination)
E. Critical impact – Incident has catastrophic impact on public safety (e.g., long-term
environmental contamination; cessation of essential services such as law
enforcement and healthcare; societal instability)
F. Unknown impact – Reporter does not have the information required to assess the
impact of the incident on public safety
1286
1287
1288
1289
1290
1291
1292
1293
1294
Indirect Impacts
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
38. [Op] + [RR] To the best of your knowledge, were/are there any indirect (or
secondary) impacts to other critical infrastructure sector(s) 33? (Yes/No)
A. (DESIGN NOTE: If Yes) Please select the appropriate critical infrastructure sector and
the appropriate critical infrastructure subsector(s) (if applicable) that were
indirectly impacted, and indicate what type of impact (functional, informational,
economic and/or physical). (DESIGN NOTE: See Appendix 4 for complete critical
32F
infrastructure sector and subsector list.)
(DESIGN NOTE: Multi select) (DISPLAY NOTE: Indirect impact is defined as “an effect that is not a
direct consequence of an incident, but is caused by a direct consequence, subsequent cascading effects,
and/or related decisions. For example, if an electric power plant is the victim of a malicious cyber incident,
directly impacting the provision of energy sector services (in this case, electricity), other local or regional
sectors that are dependent on that electricity – e.g., commercial facilities and critical manufacturing – may
experience indirect impacts.”)
1. Chemical (DESIGN NOTE: Multi select include any subsector lists from Appendix 4 as
necessary and repeat the four “impact” selections per critical infrastructure-cross sector and/or
subsector instance selected)
a. Type(s) of Impact: (DESIGN NOTE: Multi select) (DISPLAY NOTE: Select all
that apply)
1. Functional impact 34
2. Informational impact 35
3. Economic impact 36
33F
34F
35F
https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
Functional impact: A measure of the actual, ongoing impact to the organization. In many cases (e.g., scans and
probes or a successfully defended attack), little or no impact may be experienced due to the incident (CISA National
Incident Cyber Scoring System). CISA National Cyber Incident Scoring System (NCISS) | CISA
35
Informational Impact: In addition to functional impact, incidents may also affect the confidentiality, integrity
and availability of the information stored or processed by various systems. The information impact category is used
to describe the type of information lost, compromised, or corrupted. (CISA National Incident Cyber Scoring
System). CISA National Cyber Incident Scoring System (NCISS) | CISA
36
Economic Impact: Any costs or losses experienced due to an incident, including the general categories listed in
this form in question #38A-G. These categories are more specifically defined in the CISA report: “Cost of Cyber
Incident;” see Table 44 in Appendix C, https://www.cisa.gov/sites/default/files/2023-01/CISAOCE_Cost_of_Cyber_Incidents_Study-FINAL_508.pdf
33
34
Page 35 of 120
DRAFT FOR PUBLIC COMMENT
4. Physical impact 37
b. Subsector list (if available) here: (DESIGN NOTE: Multi select) (DISPLAY
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
36F
NOTE: Select all that apply)
1. Type(s) of Impact:
i.
Functional impact
ii. Informational impact
iii. Economic impact
iv.
Physical impact
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Defense Industrial Base
7. Emergency Services
8. Energy
9. Financial Services
10. Food and Agriculture
11. Government Facilities
12. Healthcare and Public Health
13. Information Technology
14. Nuclear Reactors, Materials, and Waste
15. Transportation Systems
16. Water and Wastewater Systems
17. Unknown
39. [Op] + [RR] To the best of your knowledge, what is the current functional,
informational, economic, and/or physical impact to other third parties that are not
entities in a critical infrastructure sector? (DESIGN NOTE: Multi select)
A. Functional impact
1. Not applicable, there is no possibility of indirect functional impact to entities
not in a critical infrastructure sector
2. No impact at this time
3. Low impact
4. Moderate impact
5. High impact
6. Critical
7. Unknown
B. Informational impact
Physical Impact: The resultant of an incident that has caused intentional or accidental damage to a physical
system/facility/surrounding environment, that disrupts, incapacitates, or destroys reliable operations of critical
infrastructure, including personnel therein.
37
Page 36 of 120
DRAFT FOR PUBLIC COMMENT
1. Not applicable, there is no possibility of indirect informational impact to
entities not in a critical infrastructure sector
2. No impact at this time
3. Low impact
4. Moderate impact
5. High impact
6. Critical
7. Unknown
C. Economic impact
1. Not applicable, there is no possibility of indirect economic impact to entities
not in a critical infrastructure sector
2. No impact at this time
3. Low impact
4. Moderate impact
5. High impact
6. Critical
7. Unknown
D. Physical impact
1. Not applicable, there is no possibility of indirect physical impact to entities
not in a critical infrastructure sector
2. No impact at this time
3. Low impact
4. Moderate impact
5. High impact
6. Critical
7. Unknown
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
Impacts Internal to the Entity
1381
Functional Impacts to Entity
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
40. [Op] + [RR] To the best of your knowledge, what is the current functional impact 38
of this incident?
A. No impact to both non-critical and critical services (DISPLAY NOTE: Incident has no
37F
impact.)
B. Non-critical services:
1. No impact to non-critical services (DISPLAY NOTE: Incident has no impact to noncritical services.)
2. Low impact to non-critical services (DISPLAY NOTE: Incident has low impact on any
business or on delivery to entity customers.)
Functional impact is a measure of the actual, ongoing impact to the organization. In many cases (e.g., scans and
probes or a successfully defended attack), little or no impact may be experienced due to the incident (CISA National
Incident Cyber Scoring System). CISA National Cyber Incident Scoring System (NCISS) | CISA
38
Page 37 of 120
DRAFT FOR PUBLIC COMMENT
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
3. Moderate impact to non-critical services (DISPLAY NOTE: Moderate impact to noncritical services. Some small level of impact to non-critical systems and services.)
4. High impact to non-critical services (DISPLAY NOTE: Significant impact to noncritical services. A non-critical service or system has a significant impact.)
5. Critical impact to non-critical services (DISPLAY NOTE: Denial of non-critical
services. A non-critical system’s access is denied, or system’s functionality is destroyed.)
6. Unknown
C. Critical services:
1. No impact to critical services (DISPLAY NOTE: Incident has no impact to critical
services.)
2. Low impact to critical services (DISPLAY NOTE: Incident has low impact on any
industrial control systems (ICS) or on delivery of critical services to entity customers.)
3. Moderate impact to critical services 39 (DISPLAY NOTE: Moderate impact to a critical
38F
system or service (e.g., email, active directory).)
4. High impact to critical services (DISPLAY NOTE: A critical system has a significant
impact (e.g., local administrative account compromise).)
5. Critical impact to critical services (DISPLAY NOTE: Denial of critical services/loss of
control. A critical system has been rendered unavailable.)
6. Unknown
41. {Conditional} [Op] + [RR] (DESIGN NOTE: Only display question if response to “Functional
Impact” yields a “Low, Moderate, High, Critical, or Unknown” selection by the reporter for either noncritical or critical services). Please
select (one) the most severe location any observed
disruption in your entity’s non-critical business or critical system networks from
within your environment from this list:
A. Business demilitarized zone (DMZ) (Activity was observed in the business
network’s demilitarized zone (DMZ))
B. Business network (Activity was observed in the business or corporate network of
the entity; these systems would include corporate user workstations, application
servers, and other non-core management systems)
C. Business network management (Activity was observed in business network
management systems such as administrative user workstations, active directory
servers, or other trust stores)
D. Critical system DMZ (Activity was observed in the DMZ that exists between the
business network and a critical system network. These systems may be internally
facing services such as SharePoint sites, financial systems, or relay “jump” boxes
into more critical systems.)
E. Critical system management (Activity was observed in high-level critical systems
management such as human-machine interfaces in Industrial Control Systems)
39
Critical System/Services/Property: Specific entity [system/service/property] that is of such extraordinary
importance that its incapacitation or destruction would have a very serious, debilitating effect on the ability of a
nation [or organization, business, entity] to continue to function effectively; [a system/service/property of great]
importance to a mission or function, or continuity of operations. Derived from “critical asset” page 135-136 and
critically page 139 of https://www.dhs.gov/publication/dhs-lexicon
Page 38 of 120
DRAFT FOR PUBLIC COMMENT
F. Critical systems (Activity was observed in the critical systems that operate critical
processes.)
G. Unknown
H. Other [describe] (DESIGN NOTE: Open Text)
1430
1431
1432
1433
Informational Impacts to Entity
1434
1435
1436
1437
1438
1439
1440
1441
1442
42. [Op] + [RR] To the best of your knowledge, what is the current informational
impact 40 of this incident?
A. No impact
B. Low impact
C. Moderate impact
D. High impact
E. Critical impact (unrecoverable)
F. Unknown
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
43. [Op] + [RR] To the best of your knowledge, what is the current physical impact 41 of
this incident?
A. No physical impact to both property and systems
B. Physical impacts to property:
1. No impact to non-critical and critical property
2. Low impact to property (DISPLAY NOTE: Damage to non-critical property)
3. Moderate impact to property (DISPLAY NOTE: Damage to critical property 42)
4. High impact to property (DISPLAY NOTE: Destruction of non-critical property)
5. Critical impact to property (DISPLAY NOTE: Destruction of critical property)
6. Unknown
C. Physical impacts to systems:
1. No impact to non-critical and critical systems
2. Low impact to systems (DISPLAY NOTE: Damage to non-critical systems)
3. Moderate impact to systems (DISPLAY NOTE: Damage to critical systems)
4. High impact to systems (DISPLAY NOTE: Destruction of non-critical systems)
5. Critical impact to systems (DISPLAY NOTE: Destruction of critical systems)
6. Unknown
39F
Physical Impacts to Entity
40F
41F
Informational Impact: In addition to functional impact, incidents may also affect the confidentiality, integrity
and availability of the information stored or processed by various systems. The information impact category is used
to describe the type of information lost, compromised, or corrupted. (CISA National Incident Cyber Scoring
System). CISA National Cyber Incident Scoring System (NCISS) | CISA
41
Physical Impact: The resultant of an incident that has caused intentional or accidental damage to a physical
system/facility/surrounding environment, that disrupts, incapacitates, or destroys reliable operations of critical
infrastructure, including personnel therein.
42
Critical System/Services/Property: Specific entity [system/service/property] that is of such extraordinary
importance that its incapacitation or destruction would have a very serious, debilitating effect on the ability of a
nation [or organization, business, entity] to continue to function effectively; [a system/service/property of great]
importance to a mission or function, or continuity of operations. Derived from “critical asset” page 135-136 and
critically page 139 of https://www.dhs.gov/publication/dhs-lexicon
40
Page 39 of 120
DRAFT FOR PUBLIC COMMENT
Economic Impacts to Entity
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
44. [Op] + [RR] To the best of your knowledge, what is the current economic impact 43 of
this incident? (DISPLAY NOTE: Estimate any costs or losses associated with the categories of economic
42F
impacts listed below. If you require further clarity on the meaning of these categories of economic impacts,
see the CISA report: “Cost of Cyber Incident.” 44)
43F
A. Incident investigation and forensic analysis
1. Please provide estimates in U.S. dollars for each applicable category of
economic impact (use a range from minimum to maximum where uncertain,
or the same for both if known) (DESIGN NOTE: Repeated for each selected)
B. Incident response and containment (including direct response, cleanup, and
recovery costs)
C. Lost revenue or productivity
D. Theft, fraud, and direct financial losses (including any ransomware payments
disbursed)
E. Legal fees and regulatory fines
F. Victim notification and protection services
G. Other Losses (e.g., Loss of Intellectual Property)
k. Incident Details
1478
Incident: Details by Stage
1479
1480
1481
1482
1483
(DISPLAY NOTE: The following questions will collect details about the incident according to how far you are in
the “incident lifecycle” (based on the major phases of an incident life cycle from NIST 800-61 r2, Computer
Security Incident Handling Guide). 45 Please note, you can be in multiple stages of an incident response at one time
and can revisit any incident stage-specific section of this report at any point if there is new information to report.)
44F
l. Identification and Detection (I/D) Stage
1484
1485
Incident Stage (I/D): Ransomware and Cyber Extortion
1486
1487
1488
(DESIGN NOTE: Executes if incident is flagged as a Ransomware Incident in “Incident Type
Determination” above as indicated in “red box” below:)
1489
Economic Impact: Any costs or losses experienced due to an incident, including the general categories listed in
this form in question #38A-G. These categories are more specifically defined in the CISA report: “Cost of Cyber
Incident;” see Table 44 in Appendix C, https://www.cisa.gov/sites/default/files/2023-01/CISAOCE_Cost_of_Cyber_Incidents_Study-FINAL_508.pdf
44
See Table 44 in Appendix C; https://www.cisa.gov/sites/default/files/2023-01/CISAOCE_Cost_of_Cyber_Incidents_Study-FINAL_508.pdf
45
https://csrc.nist.gov/pubs/sp/800/61/r2/final
43
Page 40 of 120
DRAFT FOR PUBLIC COMMENT
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
Initial Ransom Demand Details
45. [RC] Please provide the following details about the ransom demand associated with
this incident:
A. [C-15] [Op] + [FISMA Req] Text of ransom demand(s) (DESIGN NOTE: Open text)
B. [C-15] [Op] + [FISMA Req] Screenshot of ransom note(s) or copy of the email(s)
C. [C-15] [Op] + [FISMA Req] Ransomware variant used (if known)
D. [C-15] [Op] + [FISMA Req] Amount of ransom demand
E. [C-15] [Op] + [FISMA Req] Currency type of ransom demand, including virtual
currency
F. [C-15] [Op] + [FISMA Req] Text of ransom payment instructions (if not already
included in response to A, above) (DESIGN NOTE: Allow for a response to be “Same as
response A”, this is an open text otherwise.)
G. [C-15] [Op] + [FISMA Req] Deadline given to pay ransom. Please provide the
Date and Time (yyyy-mm-dd HH:MM -) (DISPLAY NOTE: This could be
a time in the future at time of report.)
H. [C-15] [Op] + [FISMA Req] Description of any additional communications
between the threat actors and either the impacted entity or a third party authorized
to act on its behalf (e.g., phone conversations)
I. [Op] + [FISMA Req] Does your organization have insurance that covers
ransomware demand payments? (Yes/No)
1. (DESIGN NOTE: If Yes) Please provide insurance company details
a. Name
b. Email address
1. Unknown
c. Website
1. Unknown
d. Physical address
1. Street name and number
2. Postal code
3. City
4. State
5. Country
e. Other contact information
f. Insurance annual premium amount (DISPLAY NOTE: Primary carrier
amounts if applicable, and if there is a separate cost for “ransom payments” only
include that amount, otherwise total cost is acceptable.)
1. Amount
i.
[ ] Select if primary carrier amount
ii. [ ] Ransom coverage only [ ] Total coverage (DESIGN
NOTE: Select one)
2. Does the impacted entity plan on seeking, or has it already sought coverage
from its insurers for this incident? (Yes/No)
Page 41 of 120
DRAFT FOR PUBLIC COMMENT
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
Ransom Payment Details
J. Ransom Payment Details
1. [Op] + [FISMA Req] Was a ransom paid? (Yes/No)
a. {Conditional} + [OP] + [RR] (DESIGN NOTE: If Yes) Did your ransom
payment insurance cover the incident? (Yes/No) (DESIGN NOTE:
Only ask if answered “Yes” to having ransomware insurance and planning to seek
coverage.)
2. {Conditional} [Op] + [FISMA Req] If ransom was paid, provide the
following (DESIGN NOTE: Set Payment Count as 1.)
(DESIGN NOTE: ==============Ransomware Payment Details=================
a. [CUI] [Op] + [FISMA Req] Negotiation Details: Did you use a
negotiation agent? (Yes/No), {Conditional} + [Op] + [FISMA
Req] (DESIGN NOTE: If Yes) Provide
1. [CUI]Negotiation agent point of contact
i.
[CUI]If person
1. First
2. Last
3. Phone number(s)
4. Email address(es)
5. Position/title
ii. If entity
1. Name
2. Email address
i.
Unknown
3. Website
i.
Unknown
4. Physical address
i.
Street name and number
ii. Postal code
iii. City
iv.
State
v.
Country
5. Other contact information
(DISPLAY NOTE: When a ransom payment is made, the victim sharing information regarding the payer (the
person paying the ransom payment), the recipient (the person receiving the ransom payment), and how the
transaction occurred can enable a more effective federal response to a ransom (or extortion) incident. CISA
recognizes there may be multiple transactions over the course of the incident; this form will solicit the
(potentially) unique details for each transaction separately.)
b. [CUI] [Op] + [FISMA Req] Is the payer an individual or entity?
(Select: Individual/entity) (DESIGN NOTE: Single select)
1. [CUI]{Conditional} + [Op] + [FISMA Req] [Payer] (DESIGN
NOTE: If Individual):
Page 42 of 120
DRAFT FOR PUBLIC COMMENT
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
i.
First
ii. Last
iii. Phone number(s)
iv.
Email address(es)
v.
Position/title
vi.
Organization
2. [CUI]{Conditional} + [Op] + [FISMA Req] [Payer] (DESIGN
NOTE: If Entity):
i.
Entity name
ii. [CUI] Point of contact
1. First
2. Last
3. Phone number(s)
4. Email address(es)
5. Position/title
iii. Entity email address
1. Unknown
iv.
Website
1. Unknown
v.
Physical address
1. Street name and number
2. Postal code
3. City
4. State
5. Country
vi.
[CUI] Other contact information
3. [CUI] [Op] + [FISMA Req] [Payer] Details of transaction per
payment made to date: (DISPLAY NOTE: This is from the Payer’s
perspective. Additionally, the total ransom/extortion amount could be spread
among multiple payments and different methods.)
i.
ii.
iii.
Date and time payment was disbursed from the payer
making the ransom payment to satisfy the ransom
demand
Currency type (traditional, virtual/digital asset, or other)
1. Currency
2. Other, provide description (DESIGN NOTE: Open text)
Amount of payment (may be equal to or different from
the actual demand)
1. In virtual/digital asset
2. In US dollar value at the time of the transaction
Page 43 of 120
DRAFT FOR PUBLIC COMMENT
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
iv.
[CUI] For transactions that involved a bank or another
type of financial institution (e.g., in facilitating the
payment)
1. Name of bank or financial institution
2. Address of bank or financial institution
i.
Street name and number
ii. Postal code
iii. City
iv.
State
v.
Country
3. Name(s) on the account
4. Account number
5. Routing number
i.
Origin
v.
[CUI] If virtual (e.g., crypto) currencies were used:
1. Service used to
i.
Purchase the currency
ii. Store the currency
iii. Transmit the currency
2. [CUI] Transaction ID (e.g., transaction hash), if
known
3. [CUI] Virtual (crypto) currency address(es)
i.
Payer addresses
vi.
Other method of paying the ransom / extortion demands
1. [CUI] Describe the method
vii. If the transaction occurred at a physical location, please
provide
1. Address of transaction
i.
Geographical point of interest (location)
ii. Street name and number
iii. Postal code
iv.
City
v.
State
vi.
Country
2. Any other physical location characteristics describe
here:
c. [CUI] [Op] + [FISMA Req] To the best of your knowledge, is the
recipient an individual, entity, or group?
Select: [ ]Individual [ ]Entity [ ]Group [ ]Unknown (DESIGN NOTE:
Skip “point of contact” info if “Unknown” selected) (DESIGN NOTE: Single
select)
Page 44 of 120
DRAFT FOR PUBLIC COMMENT
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1. [CUI] [Op] [FISMA Req if selected] [Recipient] (DESIGN
NOTE: If Individual) Please provide the following information to
the extent known:
i.
First
ii. Middle
iii. Last
iv.
Suffix
v.
Phone number(s)
vi.
Email address(es)
vii. Social media information
viii. Position/title
2. [CUI] [Op] + [FISMA Req if selected] [Recipient] (DESIGN
NOTE: If Entity/Group) Please provide the following information
to the extent known:
i.
Name
ii. [CUI] Point of contact at entity
1. First
2. Middle
3. Last
4. Suffix
5. Phone number(s)
6. Email address(es)
7. Position/title
iii. Entity email address
iv.
Entity social media information
v.
Entity website
vi.
Physical address
1. Street name
2. Street number
3. Postal code
4. City
5. State
6. Country
vii. Any other contact information describe here:
d. [CUI] [Op] + [FISMA Req if available] [Recipient] Details of
transaction per payment: (DISPLAY NOTE: This is from the Recipient’s
perspective. Additionally, the total ransom/extortion amount could be spread among
multiple payments and different methods.)
1. Date and time of ransom payment
2. Currency type (traditional, virtual/digital, or other)
i.
Currency
Page 45 of 120
DRAFT FOR PUBLIC COMMENT
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
Other, provide description (DESIGN NOTE: Open text)
3. Amount of ransom payment (may be equal to or different
from the actual demand)
i.
In virtual/digital asset
ii. In US dollars
4. [CUI] For transaction(s) that involved a bank or another type
of financial institution:
i.
Name of bank or financial institution
ii. Address of bank or financial institution
1. Street name and number
2. Postal code
3. City
4. State
5. Country
iii. Name(s) on the account
iv.
Account number
v.
Routing number
1. Destination
5. If virtual (e.g., crypto) currencies were used
i.
Service used to
1. Purchase the currency
2. Store the currency
3. Transmit the currency
ii. [CUI] Transaction ID (e.g., transaction hash), if known
iii. [CUI] Virtual (crypto) currency address(es)
1. Payee addresses
K. [Op] + [FISMA Req] Identifying payment installments
1. Were multiple payments made (e.g., installments, differing methods [some
physical cash, some virtual])? (Yes/No) (Design Note: If Yes, complete another session
ii.
of “payment details”, associate payment # to installment # + 1. Provide an option to copy over
from the first payment the information since it may be all the same except for date/time.)
(DESIGN NOTE:^^^^^^^^=End of Ransom Payment Details=^^^^^^^^)
Results of Ransom Incident
L. [CUI] [Op] + [FISMA Req] Results of ransomware/cyber extortion incident
1. Were you provided with decryption capabilities (e.g., keys) by the threat
actor? (Yes/No)
a. (DESIGN NOTE: If Yes) Did the keys work?
b. What percentage of the files were recoverable (approximate)?
2. To the best of your knowledge, was any data stolen? (Yes/No/Unsure)
(DESIGN NOTE: If Yes or Unsure):
Page 46 of 120
DRAFT FOR PUBLIC COMMENT
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
a. [CUI] Describe the type of data stolen or suspected to have been
stolen, to the best of your knowledge (DESIGN NOTE: Open text)
b. [CUI] Did the threat actors leak any stolen data, to the best of your
knowledge? (Yes/No) (DESIGN NOTE: If Yes) [describe]
c. [CUI] Did the threat actors use any other pressure tactics, such as
contacting third parties to inform them of the compromise?
(Yes/No) (DESIGN NOTE: If Yes) [describe].
3. [CUI] Describe any additional results of the ransom incident.
M. [Op] + [FISMA Req] Did you experience follow-on attempts by threat actors to
extort money or services? (Yes/No)
{Conditional} [Op] + [FISMA Req] (DESIGN NOTE: If Yes) Did you pay the
additional ransom or extortion demands? (Yes/No)
(DESIGN NOTE: If Yes, repeat ===Ransomware Payment Details==)
N. [Op] + [FISMA Req] Do you have any other information regarding the
ransomware incident not previously provided (e.g., communications with the
threat actors, transcripts, audio recordings, emails, chats)? (Yes/No)
1. Describe (DESIGN NOTE: If Yes: Open text)
Incident Stage (I/D): Tactics, Techniques and Procedures
(TTPs) and Indicators of Compromise (IOCs) Observed
46. [RA] Would you like to document the tactics, techniques, and procedures (TTPs) and
related indicators of compromise(s) (IOCs) you observed by using our offline
template and uploading the completed file, or would you prefer to proceed and enter
the TTPs and IOCs directly in this online form?
(DESIGN NOTE: select one) (DESIGN NOTE: If “Template” is selected, skip over following questions 47,
48, 49, 50).
A. [ ] I’d like to use the offline template (DESIGN NOTE: If selected, proceed to Q47)
B. [ ] I’d like to proceed with this report using the online form (DESIGN NOTE: If
selected proceed to Q48)
47. {Conditional on Q46.A is selected} [Op] You have indicated you will use the offline
template to document your TTPs and IOCs, then will upload the file once complete.
Please proceed with the download of the template and instructions (below) and return
to this point in the online form to upload your completed file.
A. Download the TTP/IOC template/instructions here: DOWNLOAD
TEMPLATE/INSTRUCTIONS
B. Upload the completed TTP/IOC file offline template here: UPLOAD
TEMPLATE
1. Select here to continue this report and return to upload your offline form
later.
Page 47 of 120
DRAFT FOR PUBLIC COMMENT
Incident Stage (I/D): Tactics, Techniques and Procedures
(TTPs) Observed
1775
1776
48. {Conditional on Q46.B is selected} + [RA] You have indicated you want to
document your TTPs and IOCs directly into this form. At this time, can you provide
information regarding the TTPs the adversary leveraged as part of this incident?
(Yes/No) (DESIGN NOTE: If No: DISPLAY NOTE: When, during your investigation, you discover
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
knowledge about TTPs contributing to the incident, please return to this question and document them. If
you have already documented and IOCs, you must also return to that section and provide the connections
between the IOCs and TTPs documented that have factored into the incident.)
49. {Conditional}[RC] (DESIGN NOTE: Question applies only if “Yes” to TTPs to report selection of
“Proceed directly in report” to documenting TTP/IOC in Q46.B) You have indicated you have
TTP(s) to report and would like to document those TTP(s) and related IOC(s) directly
in this online form. Therefore, please begin by selecting the type(s) of networks 46 and
systems the TTPs were observed within. (Select all that apply). [ ]
Enterprise/Traditional IT; [ ] Operational Technology/Industrial Control Systems; [ ]
Mobile Systems (DESIGN NOTE: Multi select)
A. Are you familiar with the MITRE ATT&CK TTP framework? (Yes/No)
B. Would you like to use CISA’s internal tool to help you understand what TTPs you
experienced? (Yes/No)
1. (DESIGN NOTE: If Yes AND if No to “familiar with MITRE ATT&CK”) Once you have
completed using CISA’s internal tool to help understand your TTPs, are you
now able to use MITRE ATT&CK framework to identify your TTPs?
(Yes/No)
C.
(DESIGN NOTE: If Yes to “familiar with the MITRE ATT&CK” {Conditional}
[Op] +
[FISMA Req] Select the appropriate MITRE ATT&CK tactics and/or
technique(s) observed from the matrix associated with the network(s) you have
selected
1. One or more TTPs observed in this incident are not identified in MITRE
ATT&CK, therefore we need to document those TTPs in a different method.
[ ] Select if applicable (DESIGN NOTE: If selected allow for a combination of both
MITRE ATT&CK TTP and alternate narrative method TTP identifications)
Enterprise Networks: Networks and systems that consist of and/or support information for the following
platforms: Windows, macOS, Linux, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network management
devices (e.g., routers, switches, hubs, etc.), and Containers.
Industrial Control Networks: Operational Technology are programmable systems or devices that interact with the
physical environment (or manage devices that interact with the physical environment). These systems/devices detect
or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include
industrial control systems, building management systems, fire control systems, and physical access control
mechanisms. (Operational technology - Glossary | CSRC (nist.gov))
Mobile Device Networks: Mobile devices/networks that have access to entity resources and network-based effects
that can be used by adversaries. This includes supported devices for the following platforms: Android, iOS.
46
Page 48 of 120
DRAFT FOR PUBLIC COMMENT
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
D. {Conditional} [Op] + [RR] (DESIGN NOTE: If “no” to familiar with MITRE ATT&CK) You
have indicated you are unfamiliar using MITRE ATT&CK to identify TTPs
observed used during this incident, or your entity observed TTP(s) not listed or
that is currently unidentified in MITRE ATT&CK. Therefore, using the type of
network(s) you have selected earlier, please select the TTP category that
potentially matches the type of TTP you have observed: (DESIGN NOTE: Depending on
which network selected earlier (Enterprise, ICS, Mobile) display the TTP category list (defined in “red
box” below) for each type of network and allow reporter to select one to many categories and allow a
description narrative for each category chosen) (DESIGN NOTE: Provide “hover-over” descriptor of
each category in each list to provide context/descriptor for the reporter.)
Enterprise Networks
Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
1822
Exfiltration
Impact (physically to
data/systems)
Industrial Control
Systems
Initial Access
Initial Access
Execution
Execution
Persistence
Persistence
Privilege Escalation
Privilege Escalation
Defense Evasion
Evasion
Credential Access
Discovery
Discovery
Lateral Movement
Lateral Movement
Collection
Collection
Command and Control
Command and Control Inhibit Response Function
Exfiltration
Impair Process Control
Impact (physically to
Impact (physically to
data/systems)
data/systems)
Mobile Networks
Page 49 of 120
DRAFT FOR PUBLIC COMMENT
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
i. Please provide a description and details of the TTPs observed in the
category(ies) you have documented (DESIGN NOTE: Open text box)
Incident Stage (I/D): Indicators of Compromise (IOCs) and
associated Detection Methods Used
(DISPLAY NOTE: In the next series of questions, you will be asked to provide Indicators of Compromise (IOCs) details
and metadata observed and collected for each TTP selected.)
50. [C-15] [RA] Do you have any Indicators of Compromise (IOCs) you can share with
us? (Yes/No) (DISPLAY NOTE: You will be given an opportunity to associate reported IOC(s) with
your entity’s documented TTP(s) in a future step. (DESIGN NOTE: IF No: SKIP to Q52, the “Incident
Stage (I/D): Malware Artifacts and Detection Logics/Analytics” section)
There are two methods by which you can share IOCs with us.
Option one is via a “copy/paste” of your IOC(s) into this form with opportunities to
add additional IOC attributes once the system processes your “copy/paste”. Option
two is via providing the IOC(s) individually in a structured format wherein you
provide attribute details and TTP mapping at the time of entry. (DISPLAY NOTE: Based
(DESIGN NOTE: If Yes)
on previous incident reporting and our experience, if there are 10 or fewer IOCs to report, the structured
“individual build” approach may be the best option to document the IOCs.) Which
method do you
want to use to document your IOC(s)? [ ] “Copy/paste; [ ] “Individual build”
1. [RC] (DISPLAY NOTE: To ensure we can ingest your data correctly you will need to provide
your IOCs separated by a space, comma, semicolon, or new line.) Provide your IOC(s) via
copy/paste here (DESIGN NOTE: Open text box)
a. Upload via copy/paste method
IOC Relation; Type; Context, Timeline [Start, Stop, Still ongoing (Y/N)]; IOC
location observed
1. Please validate and edit any errors to your IOC(s) here
2. Based on the current IOC list reported, it is very helpful to
CISA if you can provide additional context on the IOCs. The
context which is particularly valuable to us is an explanation
of whether the indicator is from the attacker, benign,
unknown, the times seen, if the IOC is currently active in your
environment, and the location the IOC was operating from
within your network(s). It is preferred to have the attributes
associated per individual IOC. At a minimum, the attributes
can be applied to all IOCs of the same type. At what level are
you able to provide us context on the IOC(s) you are sharing?
[ ] Attributes per IOC entry [ ] Attributes per IOC type (Select
one) (DESIGN NOTE: Single select)
3. Based on the IOC(s) added to your report, please provide the
overall IOC attributes as necessary:
Page 50 of 120
DRAFT FOR PUBLIC COMMENT
i.
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
ii.
Were these IOCs [ ]Attacker, [ ]Benign, [ ]Unknown
(Select all that apply) (DESIGN NOTE: multi select)
Please provide the timeline of the IOC(s) collected
1. First known time IOC operational in your
environment
2. Is the IOC still active in your environment? (Y/N)
(DESIGN NOTE: If No)
i.
iii.
Time IOC ceased operation within your
environment
Please select (one) the most severe location any of the
IOCs were operating from within your environment from
this list:
i.
Business demilitarized zone (DMZ) (Activity
was observed in the business network’s
demilitarized zone (DMZ))
ii. Business network (Activity was observed in the
business or corporate network of the entity;
these systems would include corporate user
workstations, application servers, and other noncore management systems)
iii. Business network management (Activity was
observed in business network management
systems such as administrative user
workstations, active directory servers, or other
trust stores)
iv.
Critical system 47 DMZ (Activity was observed
in the DMZ that exists between the business
network and a critical system network. These
systems may be internally facing services such
as SharePoint sites, financial systems, or relay
“jump” boxes into more critical systems.)
v.
Critical system management (Activity was
observed in high-level critical systems
management such as human-machine interfaces
in Industrial Control Systems)
46F
Critical System/Services/Property: Specific entity [system/service/property] that is of such extraordinary
importance that its incapacitation or destruction would have a very serious, debilitating effect on the ability of a
nation [or organization, business, entity] to continue to function effectively; [a system/service/property of great]
importance to a mission or function, or continuity of operations. [derived from “critical asset” page 135-136 and
critically page 139 of https://www.dhs.gov/publication/dhs-lexicon
47
Page 51 of 120
DRAFT FOR PUBLIC COMMENT
vi.
Critical systems (Activity was observed in the
critical systems that operate critical processes.)
vii. Unknown
viii. Other [describe] (DESIGN NOTE: Open Text)
4. Based on each of the IOCs added to your report, please
provide the individual IOC attributes as necessary
i.
Was the IOC [ ]Attacker, [ ]Benign, [ ]Unknown (Select
one) (DESIGN NOTE: Single select)
ii. Please provide the timeline of the IOC provided
1. First known time IOC operational in your
environment
2. Is the IOC still active in your environment? (Y/N)
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
(DESIGN NOTE: If No)
i.
iii.
Time IOC ceased operation within your
environment
Please indicate any of these areas or locations in your
organization’s network(s) where you observed the IOC
(select all that apply)
1. Business demilitarized zone (Activity was observed
in the business network’s demilitarized zone [DMZ])
2. Business network (Activity was observed in the
business or corporate network of the entity; these
systems would include corporate user workstations,
application servers, and other non-core management
systems)
3. Business network management (Activity was
observed in business network management systems
such as administrative user workstations, active
directory servers, or other trust stores)
4. Critical system 48 DMZ (Activity was observed in the
DMZ that exists between the business network and a
critical system network. These systems may be
internally facing services such as SharePoint sites,
financial systems, or relay “jump” boxes into more
critical systems.)
47F
Critical System/Services/Property: Specific entity [system/service/property] that is of such extraordinary
importance that its incapacitation or destruction would have a very serious, debilitating effect on the ability of a
nation [or organization, business, entity] to continue to function effectively; [a system/service/property of great]
importance to a mission or function, or continuity of operations. [derived from “critical asset” page 135-136 and
critically page 139 of https://www.dhs.gov/publication/dhs-lexicon
48
Page 52 of 120
DRAFT FOR PUBLIC COMMENT
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
5. Critical system management (Activity was observed
in high-level critical systems management such as
human-machine interfaces in Industrial Control
Systems)
6. Critical systems (Activity was observed in the critical
systems that operate critical processes.)
7. Unknown
8. Other [describe] (DESIGN NOTE: Open Text)
b. Please associate the IOC(s) you provided with the appropriate
TTP(s) you have already documented. If you have not yet
documented any TTPs, please select [here] to omit this step for
now. (DESIGN NOTE: if reporter selects “[here]” allow the IOC to TTP mapping
process to be postponed and DISPLAY NOTE: When, during your investigation,
you discover knowledge about TTPs contributing to the incident and have
documented them, please return to this question and provide the associations
between the IOCs and TTPs documented that have factored into the incident)
2. Individual build method (DESIGN NOTE: For Data marking: reporter needs the
opportunity to label the following IOC information as proprietary at some point, e.g., through
data markings/options to be marked in the CISA 2015 section.)
a. Please select the TTP with which these IOCs are associated.
(DESIGN NOTE: if reporter selects “[here]” allow the IOC to TTP mapping
process to be postponed and DISPLAY NOTE: When, during your investigation,
you discover knowledge about TTPs contributing to the incident and have
documented them, please return to this question and provide the associations
between the IOCs and TTPs documented that have factored into the incident.)
(DESIGN NOTE: Select from TTP entered “pick-list” and allow reporter to
associate the IOC with a TTP.)
(=======DESIGN NOTE: This section is repeated for each type of IOC the
reporter is providing =====)
b. [Op] + [RR] What is the IOC’s relation to the incident? (Attacker,
Benign, Unknown) ((DESIGN NOTE: Select one)
c. [C-15] [Op] + [RR] Select type of indicator of compromise (Select
from list:):
1. Autonomous System(s) (AS)
2. Domain Name(s)
3. Email Address(es)
4. Email Message(s) (DESIGN NOTE: Allow option to upload Email
Headers separate from Email Body.)
5. IPv4 Address(es)
6. IPv6 Address (es)
7. Network Traffic
8. URL
9. File System Directory(ies)
10. File Metadata
Page 53 of 120
DRAFT FOR PUBLIC COMMENT
11. Hash(es)
12. Mutex(es)
13. Software Metadata
14. System Process(es)
15. User Account(s)
16. Windows Registry
17. X.509 Certificate(s)
d. [C-15] + [RA] Please share any relevant context regarding these
IOCs (DESIGN NOTE: Open text)
e. [Op] + [RR] Please enter your IOC timeline here
1. First known time IOC operational in your environment
2. Is the IOC still active in your environment? (Y/N) (DESIGN
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
NOTE: If No)
i.
Time IOC ceased operation within your environment
f. [C-15] + [Op] + [RR] Please indicate any of these areas or
locations in your organization’s network(s) where you observed
the IOC (select all that apply)
i.
ii.
iii.
iv.
Business demilitarized zone (Activity was observed in the
business network’s demilitarized zone [DMZ])
Business network (Activity was observed in the business
or corporate network of the entity; these systems would
include corporate user workstations, application servers,
and other non-core management systems)
Business network management (Activity was observed in
business network management systems such as
administrative user workstations, active directory servers,
or other trust stores)
Critical system 49 DMZ (Activity was observed in the
DMZ that exists between the business network and a
critical system network. These systems may be internally
facing services such as SharePoint sites, financial
systems, or relay “jump” boxes into more critical
systems.)
48F
Critical System/Services/Property: Specific entity [system/service/property] that is of such extraordinary
importance that its incapacitation or destruction would have a very serious, debilitating effect on the ability of a
nation [or organization, business, entity] to continue to function effectively; [a system/service/property of great]
importance to a mission or function, or continuity of operations. [derived from “critical asset” page 135-136 and
critically page 139 of https://www.dhs.gov/publication/dhs-lexicon
49
Page 54 of 120
DRAFT FOR PUBLIC COMMENT
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
v.
vi.
vii.
viii.
Critical system management (Activity was observed in
high-level critical systems management such as humanmachine interfaces in Industrial Control Systems)
Critical systems (Activity was observed in the critical
systems that operate critical processes.)
Unknown
Other [describe] (DESIGN NOTE: Open Text)
Indicator of Compromise (IOC) Individual Data Marking
51. [RR except FISMA do not show] Should the IOC(s) and associated detail you have
provided in this section be considered commercial, financial, and proprietary under
the Cybersecurity Information Sharing Act of 2015? [Yes/No]
Incident Stage (I/D): Indicators of Compromise (IOCs): Detection
Methods
52. [Op] + [RR] MITRE’s D3FEND matrix categorizes countermeasures into multiple
categories. Detection actions are identified in the “Model” and “Detect” categories.
Are you familiar with, and/or would you like to use MITRE D3FEND matrix to
document your detection methods? (Yes/No)
a. (DESIGN NOTE: If yes) Please select the detection methods you used to discover
each observed activity IOC using the MITRE D3FEND matrix (DISPLAY
NOTE: Please return to this section at any point during the life cycle of this incident to
document any additional detection methods used to help resolve this incident)
Page 55 of 120
DRAFT FOR PUBLIC COMMENT
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
b.
(DESIGN NOTE: If No) (DESIGN NOTE: Multi select)
1. Did your organization choose a detection technique that potentially fit
within an existing “MITRE D3FEND tactic” but was not listed?
(Yes/No)
I. (DESIGN NOTE: If Yes):
1. Which tactic did your action fall under?
a. Model
1. Asset inventory
2. Network mapping
3. Operational activity mapping
4. System mapping
b. Detect
1. File analysis
2. Identifier analysis
3. Message analysis
4. Network traffic analysis
Page 56 of 120
DRAFT FOR PUBLIC COMMENT
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
5. Platform monitoring
6. Process analysis
7. User behavior analysis
8. Description (DESIGN NOTE: Open text)
II. (DESIGN NOTE: If No) If your organization is unable to use MITRE
D3FEND, did not use any of the MITRE D3FEND detection
methods, or is unsure which MITRE D3FEND detection method
applies, select from the set of common detection methods below:
1. Administrator
2. Antivirus software
3. Commercial and/or publicly available solution
4. External source notification
5. Human review
6. Internally developed/proprietary solution
7. Intrusion detection system (IDS)
8. Log review
9. User
10. Unknown
11. Other
a. Please provide a description of the detection
method(s). (DESIGN NOTE: Open text)
Incident Stage (I/D): Malware Artifacts and Detection
Logics/Analytics
53. [C-15] [RA] Did you detect malicious software (malware) or scripts? (Yes/No)
A. {Conditional} [Op] + [RR] (DESIGN NOTE: If Yes) Do you have any malware you
can share with us? (Yes/No) (DESIGN NOTE: If Yes) Please upload here
B. [C-15] {Conditional} [Op] + [RR] (DESIGN NOTE: If Yes) Please provide any
additional detail or context regarding the malware you have shared with us
(DESIGN NOTE: Open text)
54. [Op] + [RR] Did you create any signatures or other detection analytics to identify
and/or detect the threat activity you have reported? (Yes/No)
{Conditional} [Op] + [RR] (DESIGN NOTE: If Yes)
A. For each entry, please provide the following
1. Description
2. Pattern or rule
3. Pattern or rule language or technology used (Yara, Snort, SIGMA, etc.)
Page 57 of 120
DRAFT FOR PUBLIC COMMENT
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
Incident Stage (I/D): Malware Artifacts and Detection
Logics/Analytics: Data Classification Markings
55. [CUI] [Op] + [RR] The default data marking for the malware artifacts and detection
logic/analytics just reported is {insert default data marking here, default data marking
is TBD}. Would you like to change the default data marking? (Yes/No) (DISPLAY
NOTE: The default marking with the lowest restriction available will be applied to fields not previously
entered with a data marking label automatically to all submissions in the Malware Artifacts and Detection
Logics/Analytics sub-section. Although you will be given an opportunity to change the markings for
responses to individual questions.)
{Conditional} [Op] + [RR] (DESIGN NOTE: If Yes) Which of these data markings best
describe your malware artifacts and detection logics/analytics?
(DESIGN NOTE: See Appendix 1 for options.)
Incident Stage (I/D): Data Sources Used and Attribution
Data Sources Used
56. [Op] + [RR] Were external data sources such as data from threat
information/intelligence reporting used to discover or aid in discovering this incident?
(Yes/No)
[If Yes]Provide the following for each data source
A. [Op] + [FISMA Req] Report title and number (if applicable)
1. Name/description of data source (can include author, company providing the
data source, or general description)
2. Link to report/data source (if applicable and available to share)
Attribution
57. [RA] Have you attributed this incident to a threat actor? (Yes/No, This incident is
currently an unattributed cyber intrusion/Maybe)
{Conditional} [Op] (DESIGN NOTE: If Yes or Maybe) Provide the name of the “threat
actor” and the source used to support this assessment below
[ ] The attributed threat actor name and/or attribution source is classified (select if
true)
DISPLAY NOTE: If you used a classified source to help in your attribution, do not complete the following.
You will be contacted via a secure means to discuss further if necessary)
A. Threat actor name (could be name of advanced persistent threat [APT] actor,
ransomware group, etc.) (DESIGN NOTE: Open text)
B. Was this attribution claim based on one of the data sources you previously
provided? (DESIGN NOTE: Allow to select from list (one to many entries.))
If not, please provide the attribution source(s) (DESIGN NOTE: One to many
entries.)
1. Name of attribution source(s) (DESIGN NOTE one to many entries.)
2. URL/Web link to validate source material (DESIGN NOTE: One to many
entries.) (DESIGN NOTE: Open text)
3. Report title(s) and number(s) (if applicable) (DESIGN NOTE: One to many
entries) (DESIGN NOTE: Open text)
Page 58 of 120
DRAFT FOR PUBLIC COMMENT
4. Other details (DESIGN NOTE: One to many entries.) (DESIGN NOTE: Open text)
C. What is your level of confidence 50 in your attribution (DESIGN NOTE: Select one)
1. Confirmed by other sources: confirmed by other independent sources; logical
in itself; consistent with other information on the subject
2. Probably true: not confirmed; logical in itself; consistent with other
information on the subject
3. Possibly true: not confirmed; reasonably logical in itself; agrees with some
other information on the subject
D. Provide any additional information you feel is relevant (DESIGN NOTE: Open text)
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
49F
{Conditional} [Op] + [RR] (DESIGN NOTE: If No) This incident is currently an
unattributed cyber intrusion. Please provide any additional information you feel is
relevant and will aid in attribution. (DESIGN NOTE: Open text)
m.
2142
Assistance
Assistance from CISA
2143
2144
2145
2146
2147
58. [Op] + [RR] Are you interested in receiving incident response assistance from CISA
to the extent available? (Yes/No)
59. [Op] + [RR] Are you interested in additional collaboration or information sharing
with CISA around this incident to the extent feasible? (Yes/No)
Third Party Assistance
2148
2149
2150
2151
2152
60. [Op] + [RR] Are you utilizing an external third party to provide assistance with the
reported incident? (Yes/No)
A. (DESIGN NOTE: If Yes) Provide the name of third-party entity(ies) (DESIGN NOTE: Open
text)
Data Sharing and Logging Readiness
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
61. [OP] + [RR] Are you willing to share the results of third-party analysis with CISA?
(Yes/No) (DESIGN NOTE: Only Display if “Yes” to “third party” question prior.)
62. [OP] + [RR] Are you willing to share data (such as logs or other technical artifacts)
about this incident with CISA? (Yes/No)
1. {Conditional} [Op] + [FISMA Req] [If Yes] Please select all categories of
data (such as logs or other technical artifacts) you are willing to provide. If
necessary, our request for logs and technical artifacts would encompass only
information related to the incident (DESIGN NOTE: Multi select) (DISPLAY NOTE:
You are not being asked to share this data with CISA at this time/through this report. The
purpose of this question is for CISA to understand the extent to which such data exists, and you
are willing to share it with CISA for potential analysis.)
a. Identity-based logs for the following
https://www.misp-project.org/taxonomies.html#_admiralty_scale
https://www.threat-intelligence.eu/methodologies/
50
Page 59 of 120
DRAFT FOR PUBLIC COMMENT
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
b.
c.
d.
e.
f.
g.
h.
i.
1. Identity and credential management
2. Privileged identity and credential management
3. Authentication and authorization
4. User accounts and user account meta-data
Network
1. Email filtering, spam, and phishing logs
2. Network device infrastructure logs (for devices with multiple
interfaces: interface MAC if correlated to the De-NAT IP
address)
3. Network device infrastructure logs (e.g., general logging,
access, authorization, and accounting)
4. Data loss prevention logs
5. Network traffic (e.g., packet capture) artifacts
6. Network traffic (e.g., Netflow, Enhanced Netflow, Zeek Logs,
etc.) artifacts
Host:
1. Operating systems (e.g., Windows infrastructure and
operating systems, MacOS, BSD)
2. PKI and other multifactor applications and infrastructure
3. Antivirus and behavior-based malware protection
4. Other host logs (e.g., operating system, database logs,
application logs)
Vulnerability
1. Vulnerability assessments
2. Penetration test results
Mobile
1. Mobile (phones and tablets) EMM (UEM) / MTD server logs
2. Mobile (phones and tablets) EMM (UEM) / MTD agent logs
Containers:
1. Container (e.g., supply chain, image, engine
(MGT/orchestration, OS, cluster/pod events)
Cloud unique data not specified above
1. Cloud environments (general events and general logging)
2. System configuration and performance
3. Virtualization systems
Mainframes
1. Mainframe unique logging not covered above
Communications
Page 60 of 120
DRAFT FOR PUBLIC COMMENT
1. Any communications with the threat actors (either by the
entity or another entity on behalf of the entity) (e.g., emails
[with full headers and attachments], chats, etc.)
2. Notes, transcripts, and audio recordings of any
communications with threat actors
j. Financial
1. Any log files supporting financial records and accounts
associated with the incident (DISPLAY NOTE: This is not intended to
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
include actual financial account information, e.g., account numbers, etc.)
k. Forensic images:
1. Forensic images (e.g., full disk, system, volume etc.) relevant
to the incident
2. Memory images relevant to the incident
l. Malicious code
1. Malicious code and associated files related to the incident
m. Exfiltrated data
1. Data and metadata exfiltrated related to the incident (DISPLAY
NOTE: This is not intended to include actual compromised data.)
2. Evidence of data and metadata exfiltrated, related to the
incident
n. Reporting
1. Forensic and other reporting related to or concerning the
incident (internal or external party originated)
n. Analysis (A) Stage 51
2228
50F
63. [RA] Have you begun the analysis stage? (Yes/No/Unsure) (DISPLAY Note: The focus in
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
this stage is on analyzing the incident in more detail, determining the root cause, and assessing the impact.)
A.
(DESIGN NOTE: If Yes)
Please provide the date (yyyy-mm-dd) you began the analysis
stage
64. [FISMA Req] Has the suspicious activity been declared an incident? (Yes/No)
(DISPLAY NOTE: This event and time is different from the first time of incident detection. An incident
declaration is the point when your organization has officially analyzed the information and determined the
activity detected is, in fact, evidence of a cyber incident.)
A.
Provide date and time (yyyy-mm-dd HH:MM -) the incident was declared
(DESIGN NOTE: If Yes)
Analysis Stage - Stage of an incident life cycle that involves a process of examining [the systems] in terms of [but
not limited to] their operation, configuration, and physical presence, in terms of "its constituent parts so as to reveal
new meaning by investigation of the [system] elements to distinguish problems, situations, or anomalies for
instructional solutions or other suitable interventions that optimize performance." Entering in the Analysis phase
involves the transition from 'Something Happened' [Identification and Detection] to understanding 'What has
Happened'. [derived from page28 of https://www.dhs.gov/publication/dhs-lexicon]
51
Page 61 of 120
DRAFT FOR PUBLIC COMMENT
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
Incident Stage (A): Impacted Users and Systems
65. [RA] Please identify the impacted users (number of impacted privileged and/or
standard information technology (IT) users) (DISPLAY NOTE: This is not necessarily all users,
but those users impacted by activity during the incident.) (DESIGN NOTE: Multi select then quantity
entered.)
A. Privileged/system/administrative/service-level IT user quantity impacted (DESIGN
NOTE: Quantity)
1. [Op] How are these users impacted (e.g., accounts locked, removed, other)?
B. Standard IT user quantity impacted (DESIGN NOTE: Quantity)
1. [Op] How are these users impacted (e.g., accounts locked, removed, other)?
66. [C-15] [RA] With respect to information systems you own and/or operate that are
impacted by or involved in this incident: (DESIGN NOTE: These set of questions repeat for
every “instance” of Impacted Systems identified below.)
A. [FISMA Req] + [FedRAMP] Please identify whether any impacted information
system, network, and/or device supports any elements of the intelligence
community or contains information that has been determined by the United States
Government pursuant to an Executive Order or statute to require protection
against unauthorized disclosure for reasons of national defense or foreign
relations, or any restricted data, as defined in 42 U.S.C. 2014(y) (Yes/No).
1. (DESIGN NOTE: If Yes) Please identify the relevant federal entity category
(DESIGN NOTE: Multi select)
a. Federal civilian executive branch (FCEB) - FISMA System
(Yes/No)
b. Intelligence community (Yes/No)
c. Federal judicial branch (Yes/No)
d. Federal legislative branch (Yes/No)
e. DOD system, program, or platform (Yes/No)
B. {Conditional} (DESIGN NOTE: Conditional to “Yes” selection to “A.1.a. Federal Civilian
Executive Branch (FCEB) - FISMA System (Yes/No)”. If Yes)
1. [FISMA Req] Please provide the FISMA system name
2. [FISMA Req] Please select the type of FISMA system
a. General support system
b. Major application
c. Other
1. Please provide the system type (DESIGN NOTE: Open text)
3. [CUI] [FISMA Req] Contact information of the federal employee identified
as the system owner
a. Name
1. First
2. Last
Page 62 of 120
DRAFT FOR PUBLIC COMMENT
b. Phone number(s)
1. Unclassified
2. [Op]Classified
c. Email address(es)
1. Unclassified
2. [Op]Classified
d. Position or title
C. [C-15] [RA] Identify and describe the function of each individual (or group of
similar) affected network(s), device(s), and/or Information System(s), specifically
with respect to the category, system type, services provided, name, location and
government customer communities supported
1. Category (Select all that apply) (DESIGN NOTE: Multi select)
a. [ ]Enterprise networks or systems 52: Impacted [confirmed]
[suspected] (Select one) (DESIGN NOTE: Single select)
b. [ ]Operational technology 53 and industrial control systems:
Impacted [confirmed] [suspected] (Select one) (DESIGN NOTE: Single
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
51F
52F
select)
c. [ ]Mobile devices 54: Impacted [confirmed] [suspected] (Select
one) (DESIGN NOTE: Single select)
53F
2. Systems type (DESIGN NOTE: Multi select then quantity entered)
a. Endpoint devices (non-server devices)
1. Authentication token or device
i.
Operating systems (OS) (DESIGN NOTE: 1.i.,ii.,iii and 2.,
repeated for each option selected)
i.
OS name(s)
ii. OS version number(s)
iii. Number impacted of each OS version
2. Desktop
3. Laptop
4. Media (e.g., backup tapes, disk media (e.g., CDs, DVDs),
documents, flash drive or card, hard disk drive, media player,
recorder)
Networks and systems that consist of and/or support information for the following platforms: Windows, macOS,
Linux, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network management devices (e.g., routers,
switches, hubs, etc.), and Containers.
53
Operational Technology are programmable systems or devices that interact with the physical environment (or
manage devices that interact with the physical environment). These systems/devices detect or cause a direct change
through the monitoring and/or control of devices, processes, and events. Examples include industrial control
systems, building management systems, fire control systems, and physical access control mechanisms. (Operational
technology - Glossary | CSRC (nist.gov))
54
Mobile devices that have access to entity resources and network-based effects that can be used by adversaries.
This includes supported devices for the following platforms: Android, iOS.
52
Page 63 of 120
DRAFT FOR PUBLIC COMMENT
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
5. Mobile phone or smartphone
6. Peripheral (e.g., printer, copier, fax, identity smart card,
payment card (such as a magstripe or EMV))
7. Point of sale (POS) terminal
8. Tablet
9. Telephone
10. Voice over Internet Protocol (VoIP) phone
11. Other/unknown (DESIGN NOTE: Open text)
b. Server types
1. Active Directory (AD) Components
i.
Operating systems (OS) (DESIGN NOTE: 1.i.,ii.,iii and 2.,
repeated for each option selected)
i.
OS name(s)
ii. OS version number(s)
iii. Number impacted of each OS version
2. Certificate Authority (CA)
3. Domain Name System (DNS)
4. Dynamic Host Configuration Protocol (DHCP)
5. Email
6. File
7. File Transfer Protocol (FTP)
8. Kerberos
9. Lightweight Directory Access Protocol/Lightweight Directory
Access Protocol over Secure Sockets Layer (LDAP/LDAP[S])
10. Network Time Protocol (NTP)
11. Print
12. Remote log(s) (e.g., email, VPN, Syslog, R-Syslog, SyslogNG)
13. Remote Shell (RSH)
14. Security Information and Event Management (SIEM)
15. Secure Shell (SSH)
16. TELNET
17. Virtual Private Network (VPN)
18. Web
19. Voice over Internet Protocol (VoIP) Gateways
20. Authentication, Authorization, and Accounting (AAA)
Services (e.g., Radius, Terminal Access Controller AccessControl System [TACACS+])
21. Operational (OT) and Open-Source Software (OSS) types
(e.g., Apache HTTP Server)
22. Other
Page 64 of 120
DRAFT FOR PUBLIC COMMENT
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
i.
Please list the additional server type(s) (DESIGN NOTE:
Open text)
c. Network Devices
1. Firewalls
1. Operating systems (OS) (1.i, ii and iii. repeated for
each selected)
i.
OS name(s)
ii. OS version number(s)
iii. Number impacted of each OS version
2. Intrusion Detection System (IDS)
3. Intrusion Protection System (IPS)
4. Hub
5. Load Balancers
6. Proxies
7. Routers
8. Switches
9. Other
i.
Please list the additional network device type(s) (DESIGN
NOTE: Open text)
d. Identity providers (IdP)
1. Active Directory
2. Active Directory Federation Services (ADFS)
3. Amazon
4. Azure Active Directory
5. Facebook
6. Google Workspace
7. Lightweight Directory Access Protocol (LDAP)
8. Login.gov
9. Ping Federate
10. OpenID Connect
i.
Provide the name of the provider(s) (DESIGN NOTE: Open
text)
11. Okta
12. Security Assertion Markup Language (SAML)
i.
Provide the name of the provider(s) (DESIGN NOTE: Open
text)
13. Other identity providers
i.
Please provide the name of the identity provider(s)
(DESIGN NOTE: Open text)
3. Name of system(s) (DISPLAY NOTE: Provide name of system to add fidelity to the system
(or group of systems) that is entered in this instance (e.g., clarifying names of servers.)) (DESIGN
NOTE: Open text)
Page 65 of 120
DRAFT FOR PUBLIC COMMENT
4. Name of system(s) services provided (e.g., active directory, email, web,
boundary firewall, key personnel mobile device) (DESIGN NOTE: Open text)
5. Physical location(s) of system or group of systems
a. [ ] Select if same as impacted facility address entered earlier
b. If not the same address as impacted facility, then please provide
address of impacted system(s)
1. Street name and number
2. City
3. State
4. Postal code
5. Country
6. Is the impact or involvement of the system (or group of systems) identified []
confirmed or [] suspected at the time of report? (DESIGN NOTE: Select one.)
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
D. [Op] + [RR] Is the system identified as part of the High Value Asset (HVA) 55
Program (Yes/No)
E. [Op] + [RR] Is the impacted system designated as a National Security System 56
(Yes/No)
F. {Conditional}(DESIGN NOTE: Conditional to “Yes” selection to D. High Value Asset (HVA)
54F
55F
Program (Yes/No).)
1. What is the HVA Identification Number?
2. For each HVA listed, what services does it provide?
a. For each service, what communities does it support? (DESIGN NOTE:
Open text)
3. Does this HVA have connections to other HVAs? (Yes/No)
a. (DESIGN NOTE: If Yes) Are these connections internal to the agency,
external to the agency, or both? (Internal/External/Both)
b. (DESIGN NOTE: If Yes) Do you know what the other HVAs are?
(Yes/No)
1. (DESIGN NOTE: If Yes) Please list the other HVA(s).
i.
For each HVA listed, what services does it provide?
(DESIGN NOTE: Open text)
1. For each service, what communities does it support?
(DESIGN NOTE: Open text)
2. Do you have contact information for the other HVA(s)?
(Yes/No)
i.
[CUI] (DESIGN NOTE: If Yes)
1. Name
https://www.cisa.gov/resources-tools/programs/high-value-asset-program-management-office
NSS is defined in law here: 40 USC 11103: Applicability to national security systems (house.gov)
https://uscode.house.gov/view.xhtml?req=(title:40%20section:11103%20edition:prelim)%20OR%20(granuleid:US
C-prelim-title40-section11103)&f=treesort&num=0&edition=prelim
55
56
Page 66 of 120
DRAFT FOR PUBLIC COMMENT
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2.
3.
4.
5.
i.
First
ii. Last
Phone number(s)
i.
Unclassified
ii. [Op]Classified
Email address(es)
i.
Unclassified
ii.
[Op]Classified
Position or title
Time zone
Incident Stage (A): Initial Access “Patient Zero” Details
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
67. {Conditional}[Op] + [RR] (DESIGN NOTE: Executes if reporter has identified one
or more TTPs observed above in the “Initial Access” category in any of the MITRE
ATT&CK TTP matrices (example in “red box” to the right), this list is a “Dynamically
created” list at time of question determined by which MITRE ATT&CK “Initial Access”
TTPs were selected.) You
have observed and identified an “initial access”
TTP in this incident. Have you identified the initially affected
endpoint, device, account, and/or application commonly referred to as
“patient zero”? (Yes/No) (DESIGN NOTE: If Yes, go to Q 69.)
68. {Conditional}[Op] + [RR] (DESIGN NOTE: Trigger this question if no MITRE
57
56F
ATT&CK TTPs were entered to identify any Initial Access TTPs and the narrative
Have you identified any
initial access TTPs that you have attributed as the initial entry into your
networks, commonly referred to as “patient zero”? (Yes /No) (DESIGN
response has been parsed into discrete TTPs to create a list.)
NOTE: If Yes, go to Q 69.)
69. {Conditional}[Op] + [RR] > [Triggered only if “Yes” from either Q67
or Q68] Please select from your reported initial access observed activity: TTP(s) and
provide the technique used to gain the initial access to patient zero.
A. (DESIGN NOTE: If Yes) Was the “patient zero” already entered with the rest of the
impacted systems? (Yes/No)
1. (DESIGN NOTE: If Yes) Please select from your list of impacted systems the
system(s) you believe to be “patient zero.” (DESIGN NOTE: Allow to select from
previously entered impacted system (from question highlighted in “red box” below) list of “table
57
Tactics, Techniques and Procedures (TTP)
Page 67 of 120
DRAFT FOR PUBLIC COMMENT
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
responses” and if not already entered, then allow for a similar table entry.
B. [C-15] (DESIGN NOTE: If “No” or the system was not found in preexisting list then:) If the
system is not yet entered, please enter “patient zero” details now.
1. Select the initial access system category and type (DESIGN NOTE: Follow same
format as in previous Impacted System entries. Pull from the list already identified in question
"Please Identify Impacted System". If already entered, allow reporter to select the system as
"Patient Zero", otherwise allow reporter to enter in Patient Zero system details in same format.)
C. When was the date/time of initial access in this incident?
1. Date and Time (yyyy-mm-dd HH:MM -)
Incident Stage (A): Detailed Informational Impacts
70. {Conditional}[FISMA Req + FedRAMP reporting only] (DESIGN NOTE: Display only if
“Classified data ‘spillage’ to unapproved networks” is selected in Incident Result. Reference “red box”
below:)
You indicated earlier that the incident resulted in spillage of classified information,
please provide more details below (DISPLAY NOTE: DISCLAIMER Do NOT provide any
classified information in the following responses)
A. What classification guide or source material was used to validate that the
information spilled was classified?
B. What was the root cause of the spillage? (DESIGN NOTE: Open text)
Page 68 of 120
DRAFT FOR PUBLIC COMMENT
C. [CUI]Has an appeal or challenge been issued on the spillage of classified
information? (Yes/No)
1. On what date?
2. [CUI]To whom was the appeal or challenge issued?
3. Has the appeal been completed? (Yes/No)
4. Was this appeal accepted or denied? (Accepted/Denied)
a. If so, on what date was the appeal accepted or denied?
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
(DESIGN NOTE: Execute this question if any impact is selected from the earlier Informational Impacts to
Entity was selected (e.g., do NOT show if “No Impact” or “Unknown” were selected).)
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
71. {Conditional}[RC] Earlier in the form, you selected an informational impact 58 to
your entity of (DESIGN NOTE: Place selected choice of Informational Impact question here, e.g., “High
Impact”). We would like more details on your information impacts; can you please
provide more details on any “suspected, but not confirmed” and/or “confirmed”
known informational impact(s) from the incident?
57F
A. Please provide details on the “suspected” and/or “confirmed” informational
impact(s) from this incident: (DESIGN NOTE: (Multi select)
i. [] Suspected, but not yet confirmed
1. Which of these information types do you suspect was impacted?
(DESIGN NOTE: Multi select)
a. Classified material (DESIGN NOTE: 1.i.,ii.,iii and 2., repeated for each option
selected) (DESIGN NOTE: if these follow-on questions are same per info type
selected, give option to copy over the same responses)
1. How was the suspected information impact discovered?
(Select all that apply)
i.
Some evidence of access but unclear evidence of
exfiltration
ii. Threat actor has provided inconclusive evidence of
information impact (e.g., pictures of file directories)
Informational Impact: In addition to functional impact, incidents may also affect the confidentiality, integrity
and availability of the information stored or processed by various systems. The information impact category is used
to describe the type of information lost, compromised, or corrupted. (CISA National Incident Cyber Scoring
System). CISA National Cyber Incident Scoring System (NCISS) | CISA
58
Page 69 of 120
DRAFT FOR PUBLIC COMMENT
iii.
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
Other inconclusive evidence of threat actor access/use of
the information (please describe) (DESIGN NOTE: Open text if
selected)
iv.
We were informed by an independent third party
2. Was the system where the information was located a critical
system 59? (Yes/No)
Communications (e.g., emails, instant messages)
Administrative credentials
User or other non-administrative credentials
Financial
Dissemination controlled
1. Legal
2. Proprietary
3. Other personal information
Defense information (as the information relates to unclassified
cyber threat information/indicators (CTI), export controlled,
operational security (OPSEC) and/or information)
1. Unclassified CTI
2. Export controlled information
3. OPSEC information
58F
b.
c.
d.
e.
f.
g.
ii. [] Confirmed
1. (DESIGN NOTE: If Yes) What type of information impact? (DESIGN NOTE:
Select Privacy Data Breach and/or Other Data Compromise and/or Credential
Compromise) (DESIGN NOTE: Multi select)
a. [ ] Privacy data breach (DESIGN NOTE: If Privacy data breach, then ask
following) (DESIGN NOTE: Multi select)
1. What type of information was impacted? (DESIGN NOTE: Multi
select)
i.
Financial (DESIGN NOTE: 1.i.,ii.,iii and 2., repeated for each option
selected)
1. How was the information loss identified? (Select all
that apply)
i.
The information was seen outside the authorized
system (e.g., darkweb, leaksite, etc.) (DESIGN
NOTE: Flagged as exploited)
Critical System/Services/Property: Specific entity [system/service/property] that is of such extraordinary
importance that its incapacitation or destruction would have a very serious, debilitating effect on the ability of a
nation [or organization, business, entity] to continue to function effectively; [a system/service/property of great]
importance to a mission or function, or continuity of operations. [derived from “critical asset” page 135-136 and
critically page 139 of https://www.dhs.gov/publication/dhs-lexicon
59
Page 70 of 120
DRAFT FOR PUBLIC COMMENT
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
ii.
The information was seen being exfiltrated from
the authorized system and/or network (DESIGN
iii.
We were informed by an independent third
party (DESIGN NOTE: Flagged as loss)
Other evidence of threat actor access/use of the
information (please describe) (Design Note: Open
iv.
NOTE: Flagged as loss)
Text if selected)
ii.
2. Was the system where the information was located a
critical system? (Yes/No)
Dissemination Controlled
1. Legal
2. Proprietary
3. Other personal information
b. [ ] Other data compromise (DESIGN NOTE: If Other data compromise,
then ask the following)
1. What type of information was impacted? (DESIGN NOTE: Multi
select)
iii.
Communications (DESIGN NOTE: 1.i.,ii.,iii and 2., repeated for
each option selected)
1.
How was the information loss identified
i.
The information was seen outside the authorized
system. (e.g., darkweb, leaksite, etc.)
ii. The information was seen being exfiltrated from
the authorized system and/or network
iii. We were informed by and independent third
party
iv.
Other evidence of threat actor access/use of the
information (please describe)
2. Was the system where this information was located a
critical system? (Yes/No)
i. Dissemination controlled
i. Proprietary
ii. Classified
iii. Defense information (as the information relates to
unclassified cyber threat information/indicators (CTI),
export controlled, OPSEC and/or information)
i. CTI
ii. Export controlled information
iii. OPSEC information
Page 71 of 120
DRAFT FOR PUBLIC COMMENT
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
c. [ ] Credential compromise (DESIGN NOTE: If credential compromise, then
ask the following)
a. What types of credentials were compromised? (DESIGN
NOTE: Multi select)
i. User or other non-administrative credentials
(DESIGN NOTE: 1.i.,ii.,iii.,iv and 2., repeated for each option
selected)
1. How did you or others identify the compromise of
the credentials? (Select all that apply)
A.
The information was seen outside the
authorized system (e.g., darkweb, leaksite,
etc.)
B.
The information was seen being
exfiltrated from the authorized system
and/or network
C.
We were informed by an
independent third party
D.
Other evidence of threat actor
access/use of the information (please
describe) (DESIGN NOTE: Open Text if selected)
2. Was the system where this information was
located a critical system? (Yes/No)
ii. Administrative credentials
1. How was the compromise of the credentials
identified? (DESIGN NOTE: Select all that apply)
A.
The information was seen outside the
authorized system. (e.g., darkweb,
leaksite, etc.)
B.
The information was seen being
exfiltrated from the authorized system
and/or network (DESIGN NOTE: Flagged as loss)
C.
We were informed by an
independent third party (DESIGN NOTE:
Flagged as loss)
D.
Other evidence of threat actor
access/use of the information (please
describe) (DESIGN NOTE: Open Text if selected)
2. Was this credential on or did it have access to a
critical system? (Yes/No)
Page 72 of 120
DRAFT FOR PUBLIC COMMENT
2639
2640
2641
2642
Incident Stage (A): Breach Details
(DESIGN NOTE: Executes if incident is flagged as a Breach Incident in “Breach Severity Assessment”
earlier as indicated in response to questions flagged in “red box” below:)
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
72. {Conditional}[Op] + [FISMA Req] Earlier in this form, you provided the following
description of this incident: (DESIGN NOTE: Pull forward the information entered by reporter
earlier as flagged in the “red box” below:)
You have also previously indicated there was actual or potential unauthorized access
to personally identifiable information (PII). Please add any available additional
context on the PII that was impacted. However, DO NOT include samples of actual
PII in this response.
73. [FISMA Req] Did this incident involve a cyber- or non-cyber-related breach of PII?
(DESIGN NOTE: Single-select)
A. Cyber-related
B. Non-cyber related (e.g., personnel information with PII found in a public
dumpster)
C. Both
Page 73 of 120
DRAFT FOR PUBLIC COMMENT
2659
2660
2661
74. [FISMA Req] If you have any additional details regarding what has been observed or
identified with respect to the PII breach, please describe that here. However, DO
NOT include samples of actual PII in this response. (DESIGN NOTE: Open text)
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
75. [FISMA Req] How many individuals’ PII was impacted 60?
76. [FISMA Req] Were affected individuals notified? (Yes/No/Pending)
A. (DESIGN NOTE: If Yes or Pending) How were (or will the) individuals (be) notified?
(Select all applicable)
1. Email
a. How many individuals were (or will be) notified using this
method?
2. Short message service (SMS)
a. How many individuals were (or will be) notified using this
method?
3. Verbal
a. How many individuals were (or will be) notified using this
method?
4. Parcel
a. How many individuals were (or will be) notified using this
method?
5. Other (Please list the method that was or will be used)
a. How many individuals were notified using this method?
77. [CUI] [FISMA Req] Were mitigation services in the form of monitoring, insurances
and/or counseling provided or offered to affected individuals? (Yes/No)
A. (DESIGN NOTE: If Yes) Which mitigation services have you made available to
impacted individuals? (Please select all that apply):
1. Identity monitoring
2. Credit monitoring
3. Identity theft insurance
4. Full-service identity counseling and remediation services
5. [CUI] Other (describe)
Impacted Individuals
59F
PII Accessed and/or Impacted
2690
2691
2692
2693
2694
2695
78. [FISMA Req] For each type of PII, provide how many records instances of a PII
category or type were accessed, potentially accessed, or otherwise impacted?
(DISPLAY NOTE: Use approximate counts if final counts are not available) (DESIGN NOTE: Multi select
for each PII “category” (e.g.., Identifying numbers, Biographical Information, etc.) with the appropriate
“accessed or impacted flags”.)
A. Personally Identifying Numbers (DESIGN NOTE: Multi select and for sub questions
2696
2697
“a., b., c.”, repeated for each response selected)
Impact: is defined by CDM as “the loss of confidentiality, integrity, or availability that could be expected to have
an adverse effect on organizational operations or organizational assets or individuals (CDM Glossary of Terms).
60
Page 74 of 120
DRAFT FOR PUBLIC COMMENT
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
1. Full social security number
a. Provide count
b. Is this count known or approximate? (Known/Approximate)
c. Did potential or confirmed access occur? (Potential/Confirmed)
2. Truncated or partial social security number
3. Driver’s license number
4. License plate number
5. Drug Enforcement Administration (DEA) registration number
6. File/case identification (ID) number
7. Patient ID number
8. Health plan beneficiary number
9. Student ID number
10. Federal student aid number
11. Passport number
12. Alien registration number
13. Department of Defense (DOD) ID number
14. DOD benefits number
15. Employee Identification Number
16. Professional license number
17. Taxpayer Identification Number
18. Business Taxpayer Identification Number (sole proprietor)
19. Credit/debit card number
20. Business credit card number (sole proprietor)
21. Vehicle Identification Number
22. Business Vehicle Identification Number (sole proprietor)
23. Personal bank account number
24. Business bank account number (sole proprietor)
25. Personal device identifiers or serial numbers
26. Business device identifiers or serial numbers (sole proprietor)
27. Personal mobile number
28. Business mobile number (sole proprietor)
29. Other (please identify)
B. Biographical Information (DESIGN NOTE: Multi select and for sub questions “a., b., c.”,
repeated for each response selected.)
1. Full name (First, Last, including nicknames)
a. Provide count
b. Is this count known or approximate? (Known/Approximate)
c. Did potential or confirmed access occur? (Potential/Confirmed)
2. Gender
3. Race
4. Date of birth (day, month, year)
Page 75 of 120
DRAFT FOR PUBLIC COMMENT
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
5. Ethnicity
6. Nationality
7. Country of birth
8. City or county of birth
9. State of birth
10. Marital status
11. Citizenship
12. Immigration status
13. Religion/religious preference
14. Home address
15. Zip code
16. Home phone or fax number
17. Spouse information
18. Sexual orientation
19. Children information
20. Group/organization membership
21. Military service information
22. Mother’s maiden name
23. Business mailing address (sole proprietor)
24. Business phone or fax number (sole proprietor)
25. Global positioning system (GPS)/location data
26. Personal email address
27. Business email address
28. Employment information
29. Personal financial information (including loan information, but not including
account or payment card numbers)
30. Business financial information (including loan information, but not including
account or payment card numbers)
31. Alias (i.e., username or screenname)
32. Education information
33. Resume or curriculum vitae (DISPLAY NOTE: If these documents include additional
types of PII, e.g., address or SSN, please indicate those fields separately.)
34. Professional/personal references (DISPLAY NOTE: If these documents include
additional types of PII, e.g., address or SSN, please indicate those fields separately.)
C. Biometrics, Distinguishing Features, and Characteristics (DESIGN NOTE”
Multi select and for sub questions “a., b., c.”, repeated for each response selected.)
1. Fingerprints
a. Provide count
b. Is this count known or approximate? (Known/Approximate)
c. Did potential or confirmed access occur? (Potential/Confirmed)
2. Palm prints
Page 76 of 120
DRAFT FOR PUBLIC COMMENT
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
3. Vascular scans
4. Retina/iris scans
5. Dental profile
6. Scars, marks, tattoos
7. Hair color
8. Eye color
9. Height
10. Video recording
11. Photos
12. Voice/audio recording
13. DNA sample or profile
14. Signatures
15. Weight
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
D. Medical/Health and Emergency Information (DESIGN NOTE: Multi select and
2804
2805
2806
2807
2808
2809
2810
2811
2812
E. Device Information (DESIGN NOTE: Multi select and for sub questions “a., b., c.”, repeated
2813
2814
2815
2816
2817
2818
2819
2820
F. Other Specific Information or File Types (DESIGN NOTE: Multi select and for sub
for sub questions “a., b., c.”, repeated for each response selected.)
1. Physical medical/health information
a. Provide count
b. Is this count known or approximate? (Known/Approximate)
c. Did potential or confirmed access occur? (Potential/Confirmed)
2. Mental health information
3. Disability information
4. Workers’ compensation information
5. Patient ID number
6. Emergency contact information
for each response selected.)
1. Device settings or preferences (e.g., security level, sharing options,
ringtones)
a. Provide count
b. Is this count known or approximate? (Known/Approximate)
c. Did potential or confirmed access occur? (Potential/Confirmed)
2. Cell tower records (i.e., logs, user location, time, etc.)
3. Network communications data
questions “a., b., c.”, repeated for each response selected.)
1. Taxpayer information/Tax return information
a. Provide count
b. Is this count known or approximate? (Known/Approximate)
c. Did potential or confirmed access occur? (Potential/Confirmed)
2. Law enforcement information
3. Security clearance/background check information
Page 77 of 120
DRAFT FOR PUBLIC COMMENT
4. Civil/criminal history information/police record
5. Academic and professional background information
6. Health information
7. Case files
8. Personnel files
9. Credit history information
10. Other
a. Please provide the other specific information or file type(s)
2821
2822
2823
2824
2825
2826
2827
2828
Incident Stage (A): Security Control(s) [Contributing to
Incident]
2829
2830
79. [Op] + [RR but NOT FISMA or FedRAMP reporting] Please review the “Protect”
section of the CISA Cross-Sector Cybersecurity Performance Goals (CPGs). 61 To
the best of your knowledge, did the implementation (or lack thereof),
misconfiguration, or failure of a security control (as described in CISA’s Protect
CPGs) 62 lead to, contribute to, or otherwise factor into your incident? (Yes/No)
A. Yes
i. (DESIGN NOTE: If Yes) Select all that apply [ ] non-implementation [ ]
misconfiguration and/or [ ] failure of the security control
B. No
C. Unknown (DESIGN NOTE: If the person selects “Unknown”, then DISPLAY NOTE: When and if,
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
60F
61F
during your investigation, you discover knowledge about security controls contributing to the
incident, please return to this question and share any details you can about security controls where
the implementation (or lack thereof), improper configuration, or other aspect of the control led to,
contributed to, or otherwise factored into the incident.)
80. {Conditional if Q 79 = Yes} [Op] + [RC] Select the applicable control(s) from the
CISA Cybersecurity Performance Goals, “Protect” section 63.
A. Select from [DESIGN NOTE: See Appendix 2 for answer options, multi choice select) (DESIGN
62F
NOTE: Repeat for each CPG Protect Control selected)
1.
Was the [ ] failure, [ ] misconfiguration, or [ ]nonimplementation of the control due to a published CVE 64(s)?
a. Yes (DESIGN Note: The following “CVE” questions are conditional only if the
(DISPLAY NOTE: Select one)
63F
reporter selected “YES” to security controls factoring into the incident)
1. What is the CVE(s)?
(DESIGN NOTE: Multi select for Failed, Misconfigured, and Not
implemented) (repeat for each CVE identified)
Cross-Sector Cybersecurity Performance Goals | CISA (https://www.cisa.gov/cross-sector-cybersecurityperformance-goals)
62
See Appendix 2
63
See Appendix 2
64
Common Vulnerabilities and Exposures (CVE) is a program that identifies, defines, and catalogs publicly
disclosed cybersecurity vulnerabilities.
https://cve.mitre.org/
61
Page 78 of 120
DRAFT FOR PUBLIC COMMENT
b. No
c. Unknown
2. Do one or more of the observed TTPs reported earlier in this report relate to
this selected security control? (Yes/No)
a. (DESIGN NOTE: If Yes) Please select from your reported observed
TTPs those that are attributed to this security control (DESIGN NOTE:
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
Display all TTPs [MITRE ATT&CK and general] that have been reported and
allow user to select one or more TTPs and associate with this/these security
control(s).)
B. Please provide any additional information regarding how security control
implementation, failure, misconfiguration, or non-implementation played a role in
this incident (DESIGN NOTE: Open text) (DISPLAY NOTE: This includes not only any additional
information regarding how failure, misconfiguration, or non-implementation of a control may have
contributed to an incident, but also information regarding any controls that were also effective in
mitigating or detecting the incident, and/or controls that worked and forced the threat actor to pivot to
something more complex, etc.)
81. [FISMA or FedRAMP reporting only] (DISPLAY NOTE: CISA understands the NIST SP
800-53 and NIST SP 800-171 are primary sources to follow when establishing and setting various system
controls under FISMA and FedRAMP requirements. CISA also acknowledges others outside FISMA and
FedRAMP may not be as familiar with these publications. Therefore, CISA has implemented two paths for
identifying security controls that have contributed to the incident. For FISMA and/or FedRAMP reporting
the NIST publications are available to reference. For all other reporting, the “Protect” section of the CISA
Cross-Sector Cybersecurity Performance Goals (CPGs) 65 will be referenced.) To
the best of your
knowledge, did the implementation (or lack thereof), misconfiguration, or failure of a
security control (as described in NIST SP 800-53) lead to, contribute to, or otherwise
factor into your incident? (Yes/No)
A. Yes
i. (DESIGN NOTE: If Yes) Select all that apply [ ] non-implementation [ ]
misconfiguration and/or [ ] failure of the security control
B. No
C. Unknown (DESIGN NOTE: If the person selects “Unknown”, then DISPLAY NOTE: When and if,
64F
during your investigation you discover knowledge about security controls contributing to the incident,
please return to this question and share any details you can about security controls where the
implementation (or lack thereof), improper configuration, or other aspect of the control led to,
contributed to, or otherwise factored into the incident.)
82. {Conditional if Q 81 = Yes} [FISMA and FedRAMP only] (DISPLAY NOTE: To
enhance trends and analysis of security controls between incidents, establishing a common reference is a
sound approach. Therefore, CISA has associated the CISA CPGs with a subset of NIST SP 800-53 controls
(NIST SP 800-171 is in development). You will have an opportunity to select this subset first if applicable,
then can select from the remaining NIST SP 800-53 set of controls if necessary.) Select
the applicable
control(s) from NIST SP 800-53 (CPG preferred list first), then if applicable select
from the remaining controls.
Cross-Sector Cybersecurity Performance Goals | CISA (https://www.cisa.gov/cross-sector-cybersecurityperformance-goals)
65
Page 79 of 120
DRAFT FOR PUBLIC COMMENT
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
A. Select from (DESIGN NOTE: provide NIST SP 800-53 subset list per Appendix 2 CPG to NIST SP
800-53 mapping as first dropdown list, then provide another dropdown list identifying remaining
NIST SP 800-53 controls) (DESIGN NOTE: Repeat for each control selected, multi choice select)
1.
Was the [ ] failure, [ ] misconfiguration, or [ ]nonimplementation of the control due to a published CVE 66(s)?
a. Yes (DESIGN Note: The following “CVE” questions are conditional only if the
(DISPLAY NOTE: Select one)
65F
reporter selected “YES” to security controls factoring into the incident)
1. What was the CVE(s)?
(DESIGN NOTE: Multi select for Failed, Misconfigured, and Not
implemented) (repeat for each CVE identified)
b. No
c. Unknown
2. Does one or more of the observed TTPs reported earlier in this report relate
to this selected security control? (Yes/No)
a. (DESIGN NOTE: If Yes) Please select from your reported observed
TTPs the one(s) that are attributed to this security control (DESIGN
NOTE: Display all TTPs [MITRE ATT&CK and general] that have been reported
and allow user to select one or more TTPs and associate with this/these security
control(s).)
B. Please provide any additional information regarding how security control
implementation, failure, misconfiguration, or non-implementation played a role in
this incident (DESIGN NOTE: Open text) (DISPLAY NOTE: This includes not only any additional
information regarding how failure, misconfiguration, or non-implementation of a control may have
contributed to an incident, but also information regarding any controls that were also effective in
mitigating or detecting the incident, and/or controls that worked and forced the threat actor to pivot to
something more complex, etc.)
o. Containment (C) Stage
2927
67
66F
83. [Op] + [FISMA Req] Have you begun the containment stage? (Yes/No/Unsure)
(Note: This stage involves taking steps to prevent the incident from spreading
further.)
A. (DESIGN NOTE: If Yes) Provide the date and time (yyyy-mm-dd HH:MM -) containment activities began
B. Provide an overview of your containment strategy
2928
2929
2930
2931
2932
2933
Common Vulnerabilities and Exposures (CVE) is a program that identifies, defines, and catalogs publicly
disclosed cybersecurity vulnerabilities.
https://cve.mitre.org/
67
Containment Stage – Stage of the incident life cycle that employs activities before an “incident overwhelms
resources or increases damage. Containment provides time for developing a tailored remediation strategy” and can
involve many different approaches based on the known severity of the incident as determined during the Analysis
Stage “(e.g., shut down a system, disconnect it from a network, disable certain functions).” [derived from pg 35 of
NIST 800-61 r2]
66
Page 80 of 120
DRAFT FOR PUBLIC COMMENT
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
1. If implementation of the containment strategy is complete, was the
containment strategy successful? (Y/N)
a. (DESIGN NOTE: If No) Provide details on how your strategy is
changing (DESIGN NOTE: Open text)
84. [CUI] {Conditional} [Op] + FISMA Req] What specific containment action(s) have
been taken? (DESIGN NOTE: Can be more than one, include options to add)
A. Description (DESIGN NOTE: Open text)
B. Date and time (yyyy-mm-dd HH:MM -)
C. Has this action been completed? (Yes/No)
1. (DESIGN NOTE: If Yes) Was this action successful? (Yes/No)
a. (DESIGN NOTE: If No) Can you identify why it wasn't successful?
(DESIGN NOTE: Open text)
b. [CUI] (DESIGN NOTE: If No) Provide details on how your
containment action is changing (DESIGN NOTE: Open text)
85. [RC] Have you completed containment? (Yes/No)
Incident Stage (C): Countermeasures – Containment
86. [Op] + [FISMA Req] As explained earlier, the MITRE D3FEND matrix categorizes
countermeasures into multiple categories. Containment actions are identified in the
“harden,” “isolate,” and “deceive” categories. Please select the containment actions
you have taken from among these categories. (Select all that apply)
A. Select applicable “containment” counter measures from the MITRE D3FEND list:
Page 81 of 120
DRAFT FOR PUBLIC COMMENT
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
B. [Op] We are unable to use MITRE D3FEND to identify “containment”
countermeasures used during this incident, or our organization leveraged a
“containment” countermeasure not listed or that is currently unidentified in
MITRE D3FEND
1. Did you employ a containment technique that potentially fit within an
existing “MITRE D3FEND tactic” but was not listed? (Yes/No) (DISPLAY
NOTE: The top-line categories associated with containment are “harden”, “isolate”, or
“deceive”. These are considered the “tactics”.)
(DESIGN NOTE: If Yes)
a. Which tactic did your containment action fall under?
1. Harden
i.
Which base technique did your action fall under?
1. Application hardening
2. Credential hardening
3. Message hardening
Page 82 of 120
DRAFT FOR PUBLIC COMMENT
4. Platform hardening
2. Isolate
i.
Which base technique did your action fall under?
1. Execution isolation
2. Network isolation
3. Deceive
i.
Which base technique did your action fall under?
1. Decoy environment
2. Decoy object
b. Description (DESIGN NOTE: Open text)
2. (DESIGN NOTE: If No) If unable to use MITRE D3FEND to identify
“containment” countermeasures used during this incident and cannot bucket
the countermeasure into an existing MITRE D3FEND category, please
provide a description and details of the countermeasures you have employed
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
(DESIGN NOTE: Open text)
C. Unknown
D. None
87. [Op] Please provide any additional context for the “containment” countermeasures
you have taken (DESIGN NOTE: Open text)
p. Eradication Stage
2992
67F
68(E)
88. [CUI] [Op] + [FISMA Req] Have you begun the eradication stage? (Yes/No/Unsure)
A. [If Yes] Provide the date and time (yyyy-mm-dd HH:MM -)
eradication activities began.
1. [CUI] {Conditional} [Op] + [FISMA Req] Provide an overview of your
eradication strategy (DESIGN NOTE: Open text)
2. {Conditional} [Op] + [FISMA Req] Have you completed the eradication
activities? (Yes/No)
a. (DESIGN NOTE: If Yes) Please provide date and time (yyyy-mm-dd
HH:MM -)
b. (DESIGN NOTE: If No) Is the implementation of your eradication
strategy complete? (Y/N)
c. (DESIGN NOTE: If No) Was the eradication strategy successful? (Y/N)
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
Eradication Stage: Stage of the incident life cycle the follows one or more containment activities and results of
further analysis that “may be necessary to eliminate components of the incident, such as deleting malware and
disabling breached user accounts, as well as identifying and mitigating all vulnerabilities that were exploited. During
eradication, it is important to identify all affected hosts within the organization so that they can be remediated [and
remove any remnants of invalid computer code, invalid system accounts and other threat actor influenced system
configurations to eliminate the threat.] For some incidents, eradication is either not necessary or is performed during
recovery (e.g., files are restored from valid backups).” [derived from pg. 37 of NIST 800-61 r2]
68
Page 83 of 120
DRAFT FOR PUBLIC COMMENT
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
1.
(DESIGN NOTE: If No)
Provide details on how your eradication
strategy is changing (DESIGN NOTE: Open text)
d. (DESIGN NOTE: If No) What specific eradication action(s) have been
taken? (DESIGN NOTE: Can be more than 1, include options to add)
1. Description (DESIGN NOTE: Open text)
2. Date and time (yyyy-mm-dd HH:MM -)
3. Has this action been completed? (Yes/No)
i.
(DESIGN NOTE: If Yes) Was this action successful? (Yes/No)
ii. (DESIGN NOTE: If No) Can you identify why it wasn't
successful?
iii. (DESIGN NOTE: If No) Provide details on how your
eradication action is changing.
Incident Stage (E): Countermeasures – Eradication
89. [Op] + [FISMA Req] As noted earlier, the MITRE D3FEND matrix categorizes
countermeasures into multiple categories. Eradication actions are identified in
MITRE’s D3FEND matrix in the “evict” category. Please select the eviction actions
you have taken from this category (Select all that apply.
A. Select applicable “evict” counter measures from the MITRE D3FEND list:
B. [Op] We are unable to use MITRE D3FEND to identify eradication counter
measures used during this incident, or our organization leveraged an eradication
counter measure not listed or that is currently unidentified in MITRE D3FEND.
1. Did you employ a eradication technique that potentially fit within an existing
“MITRE D3FEND tactic” but was not listed? (Yes/No) (DISPLAY NOTE: The
top-line category associated with eradication is: “evict”. This is considered the “tactics”)
Which evict technique did you action fall under?
1. Credential eviction
i.
Description
(DESIGN NOTE: If Yes)
Page 84 of 120
DRAFT FOR PUBLIC COMMENT
2. File eviction
i.
Description
3. Process eviction
i.
Description
2. Please provide a description and details of the counter measures you have
employed (DESIGN NOTE: Open text)
C. (DESIGN NOTE: If No) If unable to use MITRE D3FEND to identify “eradication”
counter measures used during this incident and cannot bucket the counter measure
into an existing MITRE D3FEND category, please provide a description and
details of the counter measures you have employed (DESIGN NOTE: Open text)
D. Unknown
E. None
90. [CUI] {Conditional} [Op] + [FISMA Req] Please provide any additional context for
the “eradication” actions you have taken (DESIGN NOTE: Open text)
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
q. Recovery (R) Stage
3049
69
68F
91. [CUI] [Op] + [FISMA Req] Have you begun the recovery stage? (Yes/No/Unsure)
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
(DISPLAY NOTE: In the recovery stage, the focus is on restoring affected systems and services to normal
operation.)
A. [RC] (DESIGN NOTE: If Yes)
1. Provide the date and time (yyyy-mm-dd HH:MM -) Please enter the
organization’s estimated recovery date and time
a. Date and time (yyyy-mm-dd HH:MM -)
2. [Op] + FISMA Req] Describe your recovery strategy (DESIGN NOTE: open text)
3. [Op] + [FISMA Req] Have you completed the recovery stage and “accepted”
normal operations resumed? (Yes, No)?
a. (DESIGN NOTE: If Yes) Please provide the Date and Time (yyyy-mmdd HH:MM -)
4. Was the recovery strategy successful? (Yes/No)
(DESIGN NOTE: If No)
a. Did you modify your strategy after you began recovery? (Yes/No)
[CUI] (DESIGN NOTE: If Yes) Why did you modify the strategy?
(DESIGN NOTE: Open text)
Recovery Stage - Stage in the Incident Life cycle that provides "restoration of critical information technology
systems and services" to normal [or newly accepted] operations and within an accepted (by the owning entity) time
period. "Recovery may involve such actions as restoring systems from clean backups, rebuilding systems from
scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening
network perimeter security (e.g., firewall rulesets, boundary router access control lists)." [derived from "intermediate
recovery". page 347 of https://www.dhs.gov/publication/dhs-lexicon and pg. 37 of NIST 800-61 r2]
69
Page 85 of 120
DRAFT FOR PUBLIC COMMENT
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
92. [Op] + [RR] Estimate the scope of resources needed to recover from the incident
(recoverability).
A. Regular (DISPLAY NOTE: (Provide hover-over) Time to recover is predictable with existing
resources.)
B. Supplemented (DISPLAY NOTE: (Provide hover-over) Time to recover is predictable with
additional resources.)
C. Extended (DISPLAY NOTE: (Provide hover-over) Time to recover is unpredictable; additional
resources and outside help are needed.)
D. Not recoverable (DISPLAY NOTE: (Provide hover-over) Recovery from the incident is not
possible (i.e., sensitive data exfiltrated and posted publicly).)
Incident Stage (R): Recovery Actions
93. [Op] + [FISMA Req] As noted earlier, the MITRE D3FEND matrix categorizes
countermeasures into multiple categories. Recovery activities are identified in
MITRE’s D3FEND matrix in the “restore” category. Please select the recovery
actions you have taken from this category. Select all that apply.
A. Select applicable “restore” measures from the MITRE D3FEND list:
B. [Op] We are unable to use MITRE D3FEND to identify “recovery”
countermeasures used during this incident, or our organization leveraged a
“recovery” counter measure not listed or that is currently unidentified in MITRE
D3FEND.
1. Did you employ a recovery technique that potentially fit within an existing
“MITRE D3FEND tactic” but was not listed? (Yes/No) (DISPLAY NOTE: The
top-line category associated with “recovery” is: “restore.” This is considered the “tactic”),
(DESIGN NOTE: If Yes) Which
restore technique did your action(s) fall under:
1. Restore access
i.
Description
Page 86 of 120
DRAFT FOR PUBLIC COMMENT
2. Restore object
i.
Description
2. (DESIGN NOTE: If No) If unable to use MITRE D3FEND to identify
“recovery” countermeasures used during this incident, and you cannot bucket
your counter measure into an existing MITRE D3FEND category, please
provide a description and details of the counter measures you have employed.
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
(DESIGN NOTE: Open text)
C. Unknown
D. None
94. [Op] + [FISMA Req] Please describe any additional recovery steps you have taken
(e.g., additional external outreach and/or support, update any relevant policies,
procedures, and plans, such as incident response plans, continuity of business plans,
disaster recovery plans, system back-up and restore plans, business exercise plans)
(DESIGN NOTE: Open text)
r. Post-Incident (P-I) Stage
3112
95. [Op] + [FISMA Req] Has the incident concluded? (Yes/No)
(DESIGN NOTE: If Yes) Provide your post incident report/details
3113
3114
A. [Op] + [FISMA Req] If available, submit any post incident or after-action reports
related to this incident (Submit your organization’s post incident report (WITH AN UPLOAD FILE
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
OPTION HERE.) (DISPLAY NOTE: For Federal civilian executive branch agencies, this is in line with
CISA’s Incident Playbook to allow CISA to “validate organization’s response”.) 70
69F
B. [Op] + [FISMA Req] Looking back on your incident response, was there
information that, had you received it or learned it sooner, would have led to a
more streamlined, quicker, and/or more effective incident response? If yes,
identify the incident response stage where you would have preferred to receive
this information. (DESIGN NOTE: Multi select; based on NIST 800-61 r2, the major phases of an
incident life cycle.)
1. Identification and detection
a. Which organization could have provided the information? (DESIGN
2.
3.
4.
5.
6.
NOTE: Repeated for each stage selected.)
Analysis
Containment
Eradication
Recovery
Post-incident
Cybersecurity Incident & Vulnerability Response Playbooks Operational Procedures for Planning and Conducting
Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems: Publication:
November 2021
70
Page 87 of 120
DRAFT FOR PUBLIC COMMENT
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
C. [Op] + [FISMA Req] Has the impacted organization performed a review of the
incident and incident response to identify lessons learned? (Y/N)
1. (DESIGN NOTE: If Yes) Please describe the identified lessons learned in the areas
of:
a. Incident handling processes
b. Mean time to effective analysis
c. Mean time to detection
d. Mean time to response
e. Mean time to defense
f. Mean time to reporting
g. Other
D. [Op] + [FISMA Req] Based on your experience in this incident, please provide
recommendations on how CISA can improve the support it provides
1. What could CISA do differently in future incidents? (DESIGN NOTE: Open text)
2. Are there indicators of compromise or relevant detection mechanisms you
have not provided previously in this report and believe can enable detection
of similar incidents in the future? (DESIGN NOTE: Open text)
3. What additional tools or resources would you need to detect, analyze, and
mitigate future incidents? (DESIGN NOTE: Open text)
Page 88 of 120
DRAFT FOR PUBLIC COMMENT
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
s. Event Reporting (Below Incident Thresholds)
(FISMA – Only)
(DESIGN NOTE: FISMA Only – If reporter answers “NO” to all CIA Impact Assessments)
96. [FISMA Req] Has this activity already been reported? (Yes/No)
A. (DESIGN NOTE: If Yes) Provide
1. Incident report form submission number.
2. CISA incident tracking number.
97. [CUI] [FISMA Req] Describe the scope of impacted systems and provide a high-level
summary of the event activity. (DESIGN NOTE: Narrative of the event detection)
98. [FISMA Req] When did you first detect the activity?
A. Date and time (yyyy-mm-dd HH:MM -)
99. [FISMA Req] When did you declare an event?
A. Date and time (yyyy-mm-dd HH:MM -)
100. [FISMA Req] Please provide any additional information relevant to the event
(DESIGN NOTE: Open text)
101. [FISMA Req] Has the entity covered by this event resolved the consequences for
the event? (Yes/No)
A. (DESIGN NOTE: If Yes) Provide the date and time when the event was resolved
1. Recovered as of date/time (yyyy-mm-dd HH:MM -)
102. [FISMA Req] Please describe any additional steps you have taken to resolve the
event (e.g., additional external outreach and/or support, update any relevant policies,
procedures, and plans, such as incident response plans, continuity of business plans,
disaster recovery plans, system back-up and restore plans, business exercise plans)
(DESIGN NOTE: Open text)
Page 89 of 120
DRAFT FOR PUBLIC COMMENT
t. Data Marking Stage
3178
Cybersecurity Information Sharing Act of 2015
Acknowledgement
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
(DESIGN NOTE: Only Show for Non-Federal Voluntary Reporters [i.e., Voluntary Report] or NonFederal Non-Voluntary Reporters [e.g., TSA], not to be shown for FISMA reporters)
103. [Op] + [Not Applicable to FISMA Reporting] To the extent not already indicated
using the data markings, do your responses to any of the questions above constitute
cyber threat indicator(s) or defensive measure(s) submitted under the Cybersecurity
Information Sharing Act of 2015 that the submitter is requesting be treated as
commercial, financial, and proprietary? (Yes/No)
A. (DESIGN NOTE: If Yes) Select question numbers (DESIGN NOTE: Provide drop-down, multi
select).
Overall Report Data Markings
3191
104. [CUI] [Op] + [RR] The most restrictive marking that has been reported in this
incident is X. 71 Is this a valid marking for the entire incident? (Yes/No)
A. (DESIGN NOTE: If Yes) Then the incident marking is X. 72
B. (DESIGN NOTE: If No) User to enter new marking for the entire incident
3192
3193
3194
3195
3196
3197
70F
71F
(DESIGN NOTE: See Appendix 1 for question options 73)
72F
u. End of Incident Reporting Questions
3198
3199
v. Appendix 1: Data Marking
3200
Data Marking Options
3201
3202
3203
3204
3205
3206
1. Specific data marking options are as follows
1. [C-15] Cybersecurity Information Sharing Act of 2015 commercial, financial, and
proprietary 74
73F
2. [CUI] Controlled unclassified information (CUI) 75
74F
The default data marking presented here.
The accepted default data marking here.
73
Option to change default data marking.
74
Indicating that the marked data constitutes cyber threat indicator(s) or defensive measure(s) submitted under the
Cybersecurity Information Sharing Act of 2015 that the submitter is requesting be treated as commercial, financial,
and proprietary.
75
CUI Markings | National Archives
71
72
Page 90 of 120
DRAFT FOR PUBLIC COMMENT
w.
Appendix 2: CISA Cybersecurity
Performance Goals 76 (Protect) & NIST SP 800-53
References
3207
3208
75F
3209
3210
3211
Protect CISA CPGs & NIST SP 800-53 References
CPG
#
2.A
Additional
Reference(s)
[including
NIST 800-53
for FISMA
reports]
NIST SP 80053: IA-5
ISA 62443-21:2009 4.3.3.5.1
ISA 62443-33:2013 SR 1.1,
SR 1.2, SR 1.3,
SR 1.4, SR 1.5,
SR 1.7, SR 1.8,
SR 1.9
Security
Practice
Outcome
TTP or Risk
Addressed
Recommended Action
Changing
default
passwords
Prevent threat
actors from using
default passwords
to achieve initial
access or move
laterally in a
network.
Valid accounts default accounts
(T1078.001)
Valid accounts (ICS
T0859)
An enforced organization-wide policy
and/or process that requires changing
default manufacturer passwords for
any/all hardware, software, and
firmware before putting on any
internal or external network. This
includes IT assets for operational
technology, such as operational
technology administration web pages.
In instances where changing default
passwords is not feasible (e.g., a
control system with a hard-coded
password), implement and document
appropriate compensating security
controls, and monitor logs for
network traffic and login attempts on
those devices.
Operational technology: While
changing default passwords on an
organization's existing operational
technology requires significantly
more work, we still recommend
having such a policy to change
default credentials for all new or
future devices. This is not only easier
to achieve, but also reduces potential
risk in the future if adversary TTPs
change.
Cross-Sector Cybersecurity Performance Goals | CISA (https://www.cisa.gov/cross-sector-cybersecurityperformance-goals)
76
Page 91 of 120
DRAFT FOR PUBLIC COMMENT
2.B
NIST SP 80053: IA-5
ISA 62443-21:2009 4.3.3.5.1
ISA 62443-33:2013 SR 1.1,
SR 1.2, SR 1.3,
SR 1.4, SR 1.5,
SR 1.7, SR 1.8,
SR 1.9
XKCD 936
Minimum
password
strength
Organizational
passwords are
harder for threat
actors to guess or
crack.
Brute force - password
guessing (T1110.001)
Brute force - password
cracking (T1110.002)
Brute force - password
spraying (T1110.003)
Brute force credential stuffing
(T1110.004)
Organizations have a systemenforced policy that requires a
minimum password length of 15* or
more characters for all passwordprotected IT assets and all operational
technology assets, when technically
feasible.** Organizations should
consider leveraging passphrases and
password managers to make it easier
for users to maintain sufficiently long
passwords. In instances where
minimum password lengths are not
technically feasible, compensating
controls are applied and recorded,
and all login attempts to those assets
are logged. Assets that cannot support
passwords of sufficient strength
length are prioritized for upgrade or
replacement.
This goal is particularly important for
organizations that lack widespread
implementation of multifactor
authentication (MFA) and
capabilities to protect against bruteforce attacks (such as web application
firewalls and third-party content
delivery networks) or are unable to
adopt passwordless authentication
methods.
* Modern attacker tools can crack
eight-character passwords quickly.
Length is a more impactful and
important factor in password strength
than complexity or frequent password
rotations. Long passwords are also
easier for users to create and
remember.
2.C
NIST SP 80053: AC-2, AC-3
ISA 62443-21:2009 4.3.3.5.1
ISA 62443-33:2013 SR 1.1,
SR 1.2, SR 1.3,
SR 1.4, SR 1.5,
SR 1.7, SR 1.8,
SR 1.9
Unique
credentials
Attackers are
unable to reuse
compromised
credentials to
move laterally
across the
organization,
particularly
between IT and
operational
technology
networks.
Valid accounts
(T1078, ICS T0859)
Brute force - password
guessing (T1110.001)
Page 92 of 120
** Operational technology assets that
use a central authentication
mechanism (such as Active
Directory) are most important to
address. Examples of low-risk
operational technology assets that
may not be technically feasible
include those in remote locations,
such as those on offshore rigs or on
wind turbines.
Organizations provision unique and
separate credentials for similar
services and asset access on IT and
operational technology networks.
Users do not (or cannot) reuse
passwords for accounts, applications,
services, etc. Service
accounts/machine accounts have
passwords that are unique from all
member user accounts.
DRAFT FOR PUBLIC COMMENT
2.D
2.E
2.F
2.G
NIST SP 80053: AC-2, AC-3
ISA 62443-21:2009 4.3.3.5.1
ISA 62443-33:2013 SR 1.1,
SR 1.2, SR 1.3,
SR 1.4, SR 1.5,
SR 1.7, SR 1.8,
SR 1.9
NIST SP 80053: AC-6
ISA 62443-21:2009 4.3.3.7.3
ISA 62443-33:2013 SR 2.1
Revoking
credentials for
departing
employees
Prevent
unauthorized
access to
organizational
accounts or
resources by
former
employees.
Valid accounts
(T1078, ICS T0859)
A defined and enforced
administrative process applied to all
departing employees by the day of
their departure that (1) revokes and
securely returns all physical badges,
key cards, tokens, etc., and (2)
disables all user accounts and access
to organizational resources.
Separating user
and privileged
accounts
Make it harder
for threat actors
to gain access to
administrator or
privileged
accounts, even if
common user
accounts are
compromised.
Valid accounts
(T1078, ICS T0859)
NIST SP 80053: AC-4, SC7, SI-4
ISA 62443-21:2009 4.3.3.4
ISA 62443-33:2013 SR 3.1,
SR 3.5, SR 3.8,
SR 4.1, SR 4.3,
SR 5.1, SR 5.2,
SR 5.3, SR 6.2,
SR 7.1, SR 7.6
ISO/IEC
27001:2013
A.13.1.1,
A.13.1.3,
A.13.2.1,
A.14.1.2,
A.14.1.3
NIST SP 80053: AC-7
ISA 62443-21:2009
4.3.3.6.1,
4.3.3.6.2,
4.3.3.6.3,
4.3.3.6.4,
4.3.3.6.5,
4.3.3.6.6,
4.3.3.6.7,
4.3.3.6.8,
4.3.3.6.9
ISA 62443-33:2013 SR 1.1,
SR 1.2, SR 1.5,
SR 1.7, SR 1.8,
SR 1.9, SR 1.10
Network
segmentation
Reduce the
likelihood of
adversaries
accessing the
operations
technology
network after
compromising
the IT network.
Network service
discovery (T1046)
Trusted relationship
(T1199)
Network connection
enumeration (ICS
T0840)
Network sniffing
(T1040, ICS T0842)
No user accounts always have
administrator or super-user
privileges. Administrators maintain
separate user accounts for all actions
and activities not associated with the
administrator role (e.g., for business
email, web browsing). Privileges are
revaluated on a recurring basis to
validate continued need for a given
set of permissions.
All connections to the operational
technology network are denied by
default unless explicitly allowed
(e.g., by IP address and port) for
specific system functionality.
Necessary communications paths
between the IT and operational
technology networks must pass
through an intermediary, such as a
properly configured firewall, bastion
host, "jump box," or a demilitarized
zone, which is closely monitored,
captures network logs, and only
allows connections from approved
assets.
Detection of
unsuccessful
(automated)
login attempts
Protect
organizations
from automated,
credential-based
attacks.
Brute force - password
guessing (T1110.001)
Brute force - password
cracking (T1110.002)
Brute force - password
spraying (T1110.003)
Brute force credential stuffing
(T1110.004)
All unsuccessful logins are logged
and sent to an organization's security
team or relevant logging system.
Security teams are notified (e.g., by
an alert) after a specific number of
consecutive, unsuccessful login
attempts in a short period (e.g., five
failed attempts in two minutes). This
alert is logged and stored in the
relevant security or ticketing system
for retroactive analysis.
For IT assets, a system-enforced
policy prevents future logins for the
suspicious account. For example, this
could be for some minimum time, or
until the account is re-enabled by a
privileged user. This configuration is
enabled when available on an asset.
For example, Windows 11 can
automatically lock out accounts for
10 minutes after 10 incorrect logins
over a 10-minute period.
Page 93 of 120
DRAFT FOR PUBLIC COMMENT
2.H
NIST SP 80053: IA-2, IA-3
ISA 62443-21:2009
4.3.3.6.1,
4.3.3.6.2,
4.3.3.6.3,
4.3.3.6.4,
4.3.3.6.5,
4.3.3.6.6,
4.3.3.6.7,
4.3.3.6.8,
4.3.3.6.9
ISA 62443-33:2013 SR 1.1,
SR 1.2, SR 1.5,
SR 1.7, SR 1.8,
SR 1.9, SR 1.10
Phishingresistant MFA
Add a critical,
additional layer
of security to
protect assets
accounts whose
credentials have
been
compromised.
Brute force (T1110)
remote services Remote desktop
protocol (T1021.001)
Remote services SSH (T1021.004)
Valid accounts
(T1078, ICS T0859)
External remote
services (ICS T0822)
Organizations implement MFA for
access to assets using the strongest
available method for that asset (see
below for scope). MFA options
sorted by strength, high to low, are as
follows:
1. Hardware-based, phishing-resistant
MFA (e.g., FIDO/WebAuthn or
public key infrastructure (PKI)-based
– see CISA guidance in
“Resources”);
2. If such hardware-based MFA is not
available, then mobile app-based soft
tokens (preferably push notification
with number matching) or emerging
technology such as FIDO passkeys
are used;
3. MFA via short message service
(SMS) or voice only used when no
other options are possible.
IT: All IT accounts leverage MFA to
access organizational resources.
Prioritize accounts with highest risk,
such as privileged administrative
accounts for key IT systems.
2.I
2.J
NIST SP 80053: AT-2
ISA 62443-21:2009 4.3.2.4.2
ISO/IEC
27001:2013
A.7.2.2,
A.12.2.1
NIST SP 80053: AT-3
ISA 62443-21:2009
4.3.2.4.2,
4.3.2.4.3
ISO/IEC
27001:2013
A.6.1.1,
A.7.2.1, A.7.2.2
Basic
cybersecurity
training
Operational
technology
cybersecurity
training
Organizational
users learn and
perform more
secure behaviors
Personnel
responsible for
securing
operational
technology assets
received
specialized
operational
technologyfocused
cybersecurity
training
User training (M1017,
ICS M0917)
User training (M1017,
ICS M0917)
Page 94 of 120
Operational technology: Within
operational technology environments,
MFA is enabled on all accounts and
systems that can be accessed
remotely, including
vendors/maintenance accounts,
remotely accessible user and
engineering workstations, and
remotely accessible Human Machine
Interface (HMIs.)
At least annual trainings for all
organizational employees and
contractors that cover basic security
concepts, such as phishing, business
email compromise, basic operational
security, password security, etc., as
well as foster an internal culture of
security and cyber awareness.
New employees receive initial
cybersecurity training within 10 days
of onboarding and recurring training
on at least an annual basis.
In addition to basic cybersecurity
training, personnel who maintain or
secure operational technology as part
of their regular duties receive
operational technology-specific
cybersecurity training on at least an
annual basis.
DRAFT FOR PUBLIC COMMENT
2.K
2.L
NIST SP 80053: SC-8, SC13, SC-28
ISA 62443-33:2013 SR 3.1,
SR 3.4, SR 3.8,
SR 4.1, SR 4.2
ISO/IEC
27001:2013
A.8.2.3,
A.13.1.1,
A.13.2.1,
A.13.2.3,
A.14.1.2,
A.14.1.3
Strong and agile
encryption
NIST SP 80053 Rev. 4 AC4, AC-5, AC-6,
MP-12, PE-19,
PS-3, PS-6, SC7, SC-8, SC-11,
SC-12, SC-13,
SC-28, SC-31,
SI-4
ISA 62443-33:2013 SR 3.4,
SR 4.1, SR 5.2
ISO/IEC
27001:2013
A.6.1.2,
A.7.1.1,
A.7.1.2,
A.7.3.1,
A.8.2.2,
A.8.2.3,
A.9.1.1,
A.9.1.2,
A.9.2.3,
A.9.4.1,
A.9.4.4,
A.9.4.5,
A.10.1.1,
A.11.1.4,
A.11.1.5,
A.11.2.1,
A.13.1.1,
A.13.1.3,
A.13.2.1,
A.13.2.3,
A.13.2.4,
A.14.1.2,
A.14.1.3
Secure sensitive
data
Effective
encryption
deployed to
maintain
confidentiality of
sensitive data and
integrity of IT
and operational
technology traffic
Protect sensitive
information from
unauthorized
access
Adversary-in-themiddle (T1557)
Automated collection
(T1119)
Network sniffing
(T1040, ICS T0842)
Wireless compromise
(ICS T0860)
Wireless sniffing (ICS
T0887)
Unsecured credentials
(T1552)
Steal or forge
Kerberos tickets
(T1558)
OS credential
dumping (T1003)
Data from information
repositories (ICS
T0811)
Theft of operational
information (T0882)
Page 95 of 120
Properly configured and up-to-date
secure socket layer (SSL) / transport
layer security (TLS) is utilized to
protect data in transit, when
technically feasible. Organizations
should also plan to identify any use
of outdated or weak encryption,
update these to sufficiently strong
algorithms, and consider managing
the implications of post-quantum
cryptography.
Operational technology: To minimize
the impact to latency and availability,
encryption is used when feasible,
usually for operational technology
communications connecting with
remote/external assets.
Sensitive data, including credentials,
are not stored in plaintext anywhere
in the organization and can only be
accessed by authenticated and
authorized users. Credentials are
stored in a secure manner, such as
with a credential/password manager
or vault, or other privileged account
management solution.
DRAFT FOR PUBLIC COMMENT
2.M
2.N
2.O
2.P
NIST SP 80053 Rev. 4 AC4, AC-5, AC-6,
CM-8, MP-6,
MP-8, PE-16,
PE-19, PS-3,
PS-6, SC-7,
SC-8, SC-11,
SC-12, SC-13,
SC-28, SC-31,
SI-4
ISA 62443-33:2013 SR 3.1,
SR 3.4, SR. 3.8,
SR 4.1, SR 4.1,
SR 4.2, SR 5.2
NIST SP 80053: CM-10,
CM-11, SC-13
ISA 62443-21:2009
4.3.4.3.2,
4.3.4.3.3
ISA 62443-33:2013 SR 7.6
ISO/IEC
27001:2013
A.12.1.2,
A.12.5.1,
A.12.6.2,
A.14.2.2,
A.14.2.3,
A.14.2.4
NIST SP 80053: CM-2, CM6, CM-8
ISA 62443-21:2009
4.3.4.3.2,
4.3.4.3.3
ISA 62443-33:2013 SR 7.6
ISO/IEC
27001:2013
A.12.1.2,
A.12.5.1,
A.12.6.2,
A.14.2.2,
A.14.2.3,
A.14.2.4
NIST SP 80053: CM-2, CM6, CM-8
ISA 62443-21:2009
4.3.4.3.2,
4.3.4.3.3
ISA 62443-33:2013 SR 7.6
ISO/IEC
27001:2013
A.12.1.2,
Email security
Reduce risk from
common emailbased threats,
such as spoofing,
phishing, and
interception
Phishing (T1566)
business email
compromise
On all corporate email infrastructure
(1) STARTTLS is enabled, (2)
Sender Policy Framework (SPF) and
DomainKeys Identified Mail (DKIM)
are enabled, and (3) Domain-based
Message Authentication, Reporting,
and Conformance (DMARC) is
enabled and set to "reject." For
further examples and information, see
CISA’s past guidance for federal
agencies at :
https://www.cisa.gov/bindingoperational-directive-18-01
Disable macros
by default
Reduce the risk
from embedded
macros and
similar executive
code, a common
and highly
effective threat
actor TTP
Phishing spearphishing
attachment
(T1566.001)
User execution malicious File
(T1204.002)
A system-enforced policy that
disables Microsoft Office macros, or
similar embedded code, by default on
all devices. If macros must be
enabled in specific circumstances,
there is a policy for authorized users
to request that macros are enabled on
specific assets.
Document
device
configurations
More efficiently
and effectively
manage, respond
to, and recover
from cyberattacks
against the
organization and
maintain service
continuity
Delayed, insufficient,
or incomplete ability
to maintain or restore
functionality of critical
devices and service
operations.
Organizations maintain accurate
documentation describing the
baseline and current configuration
details of all critical IT and
operational technology assets to
facilitate more effective vulnerability
management and response and
recovery activities. Periodic reviews
and updates are performed and
tracked on a recurring basis.
Document
Network
Topology
More efficiently
and effectively
respond to
cyberattacks and
maintain service
continuity
Incomplete or
inaccurate
understanding of
network topology
inhibits effective
incident response and
recovery
Organizations maintain accurate
documentation describing updated
network topology and relevant
information across all IT and
operational technology networks.
Periodic reviews and updates should
be performed and tracked on a
recurring basis.
Page 96 of 120
DRAFT FOR PUBLIC COMMENT
A.12.5.1,
A.12.6.2,
A.14.2.2,
A.14.2.3,
A.14.2.4
2.Q
2.R
2.S
NIST SP 80053: CM-2, CM3, CM-5, CM-6,
CM-10, CM-11
ISA 62443-21:2009
4.3.4.3.2,
4.3.4.3.3
ISA 62443-33:2013 SR 7.6
ISO/IEC
27001:2013
A.12.1.2,
A.12.5.1,
A.12.6.2,
A.14.2.2,
A.14.2.3,
A.14.2.4
NIST SP 80053: CP-6, CP-9,
CP-10
ISA 62443-21:2009 4.3.4.3.9
ISA 62443-33:2013 SR 7.3,
SR 7.4
ISO/IEC
27001:2013
A.12.3.1,
A.17.1.2,
A.17.1.3,
A.18.1.3
Hardware and
software
approval process
Increase visibility
into deployed
technology assets
and reduce the
likelihood of
breach by users
installing
unapproved
hardware,
firmware, or
software
Supply chain
compromise (T1195,
ICS T0862)
Hardware additions
(T1200)
Browser extensions
(T1176)
Transient cyber asset
(ICS T0864)
Implement an administrative policy
or automated process that requires
approval before new hardware,
firmware, or software/software
version is installed or deployed.
Organizations maintain a riskinformed allowlist of approved
hardware, firmware, and software
that includes specification of
approved versions, when technically
feasible. For operational technology
assets specifically, these actions
should also be aligned with defined
change control and testing activities.
System Backups
Organizations
reduce the
likelihood and
duration of data
loss at loss of
service delivery
or operations
All systems that are necessary for
operations are regularly backed up on
a regular cadence (no less than once
per year).
NIST SP 80053: IR-3, IR-4,
IR-8
ISA 62443-21:2009
4.3.2.5.3,
4.3.2.5.7,
4.3.4.5.1,
4.3.4.5.11
ISA 62443-33:2013 SR 3.3
ISO/IEC
27001:2013
A.16.1.1,
A.17.1.1,
A.17.1.2,
A.17.1.3
Incident
Response (IR)
Plans
Data destruction
(T1485, ICS T0809)
Data encrypted for
impact (T1486)
Disk wipe (T1561)
Inhibit system
recovery (T1490)
Denial of control (ICS
T0813)
Denial/loss of view
(ICS T0815, T0829)
Loss of availability
(T0826)
Loss/manipulation of
control (T0828,
T0831)
Inability to quickly
and effectively
contain, mitigate, and
communicate about
cybersecurity
incidents
Organizations
maintain,
practice, and
update
cybersecurity
incident response
plans for relevant
threat scenarios
Page 97 of 120
Backups are stored separately from
the source systems and tested on a
recurring basis, no less than once per
year. Stored information for
operational technology assets
includes at a minimum:
configurations, roles, programmable
controller (PLC) logic, engineering
drawings, and tools.
Organizations have, maintain, update,
and regularly drill IT and operational
technology cybersecurity incident
response plans for both common and
organizationally-specific (e.g., by
sector, locality) threat scenarios and
TTPs. When conducted, tests or drills
are as realistic as feasible. IR plans
are drilled at least annually and are
updated within a risk-informed time
frame following the lessons learned
portion of any exercise or drill.
DRAFT FOR PUBLIC COMMENT
2.T
2.U
2.V
NIST SP 80053: AU-2, AU3, AU-7, AU-9,
AU-11
ISA 62443-21:2009
4.3.3.3.9,
4.3.3.5.8,
4.3.4.4.7,
4.4.2.1, 4.4.2.2,
4.4.2.4
ISA 62443-33:2013 SR 2.8,
SR 2.9, SR
2.10, SR 2.11,
SR 2.12
ISO/IEC
27001:2013
A.12.4.1,
A.12.4.2,
A.12.4.3,
A.12.4.4,
A.12.7.1
NIST SP 80053: AU-2, AU3, AU-7, AU-9,
AU-11
ISA 62443-21:2009
4.3.3.3.9,
4.3.3.5.8,
4.3.4.4.7,
4.4.2.1, 4.4.2.2,
4.4.2.4
ISA 62443-33:2013 SR 2.8,
SR 2.9, SR
2.10, SR 2.11,
SR 2.12
ISO/IEC
27001:2013
A.12.4.1,
A.12.4.2,
A.12.4.3,
A.12.4.4,
A.12.7.1
NIST SP 80053: MP-2, MP7
ISA 62443-33:2013 SR 2.3
ISO/IEC
27001:2013
A.8.2.1,
A.8.2.2,
A.8.2.3,
A.8.3.1,
A.8.3.3,
A.11.2.9
Log Collection
Achieve better
visibility to
detect and
effectively
respond to
cyberattacks
Delayed, insufficient,
or incomplete ability
to detect and respond
to potential cyber
incidents
Impair defenses
(T1562)
Access- and security-focused logs
(e.g., intrusion detection
systems/intrusion prevention systems,
firewall, data loss prevention, virtual
private network) are collected and
stored for use in both detection and
incident response activities (e.g.,
forensics). Security teams are notified
when a critical log source is disabled,
such as Windows event logging.
Operational technology: For
operational technology assets where
logs are non-standard or not
available, network traffic and
communications between those assets
and other assets is collected.
Secure Log
Storage
Organizations'
security logs are
protected from
unauthorized
access and
tampering
Indicator removal on
host - clear Windows
event logs
(T1070.001)
Indicator removal on
host - Clear Linux or
Mac system logs
(T1070.002)
Indicator removal on
host - file deletion
(T1070.004)
Indicator removal on
host (ICS T0872)
Logs are stored in a central system,
such as a security information and
event management tool or central
database and can only be accessed or
modified by authorized and
authenticated users. Logs are stored
for a duration informed by risk or
pertinent regulatory guidelines.
Prohibit
Connection of
Unauthorized
Devices
Prevent malicious
actors from
achieving initial
access or data
exfiltration via
unauthorized
portable media
devices
Hardware additions
(T1200)
Replication through
removable media
(T1091, ICS T0847)
Organizations maintain policies and
processes to ensure that unauthorized
media and hardware are not
connected to IT and operational
technology assets, such as by limiting
use of USB devices and removable
media or disabling AutoRun.
Page 98 of 120
Operational technology: When
feasible, establish procedures to
remove, disable, or otherwise secure
physical ports to prevent the
connection of unauthorized devices
or establish procedures for granting
access through approved exceptions.
DRAFT FOR PUBLIC COMMENT
2.W
2.X
3212
No Exploitable
Services on the
Internet
Unauthorized
users cannot gain
an initial system
foothold by
exploiting known
weaknesses in
public-facing
assets
Active scanning vulnerability scanning
(T1595.002)
Exploit public-facing
application (T1190,
ICS T0819)
Exploitation of remote
service (T1210, ICS
T0866)
External remote
services (T1133, ICS
T0822)
Remote services remote desktop
protocol (T1021.001)
Assets on the public internet expose
no exploitable services, such as
remote desktop protocol. Where these
services must be exposed, appropriate
compensating controls are
implemented to prevent common
forms of abuse and exploitation. All
unnecessary OS applications and
network protocols are disabled on
internet-facing assets.
Limit
operational
technology
connections to
public Internet
Reduce the risk
of threat actors
exploiting or
interrupting OT
assets connected
to the public
internet
Active scanning vulnerability scanning
(T1595.002)
Exploit public-facing
application (T1190,
ICS T0819)
Exploitation of remote
service (T1210, ICS
T0866)
External remote
services (T1133, ICS
T0822)
No operational technology assets are
on the public internet, unless
explicitly required for operation.
Exceptions must be justified and
documented, and excepted assets
must have additional protections in
place to prevent and detect
exploitation attempts (such as
logging, MFA, mandatory access via
proxy or other intermediary, etc.).
x. Appendix 3: Incident Type/Categories
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
NIST SP 80053: AC-4, SC7, SC-32, SC39
ISA 62443-33:2013 SR 3.1,
SR 3.5, SR 3.8,
SR 4.1, SR 4.3,
SR 5.1, SR 5.2,
SR 5.3, SR 7.1,
SR 7.6
ISO/IEC
27001:2013
A.13.1.1,
A.13.2.1,
A.14.1.3
NIST SP 80053: AC-4, SC7, SC-32, SC39
ISA 62443-33:2013 SR 3.1,
SR 3.5, SR 3.8,
SR 4.1, SR 4.3,
SR 5.1, SR 5.2,
SR 5.3, SR 7.1,
SR 7.6
ISO/IEC
27001:2013
A.13.1.1,
A.13.2.1,
A.14.1.3
Incident Types involving Malware (based on VERIS with some modifications
76F
1.
2.
3.
4.
5.
6.
Adware
Backdoor (enable remote access)
Brute force attack
Capture data from application or system process
Capture data stored on system disk
Client-side attack (client-side or browser attack (e.g., redirection, XSS,
MitB))
7. Click fraud or Bitcoin mining
8. C2 (command and control)
9. Destroy data (destroy or corrupt stored data)
10. Disable controls (disable or interfere with security controls)
11. DoS (denial of service attack)
12. Downloader (pull updates or other malware)
13. Exploit vulnerability in code (vs misconfiguration or weakness)
77
Enumerations (verisframework.org)
Page 99 of 120
77
):
DRAFT FOR PUBLIC COMMENT
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
14. Export data to another site or system
15. Packet sniffer (capture data from network)
16. Password dumper (extract credential hashes)
17. RAM scraper or memory parser (capture data from volatile memory)
18. Ransomware (encrypt or seize stored data)
19. Rootkit (maintain local privileges and stealth)
20. Scan network (scan or footprint network)
21. Spam (send spam)
22. Spyware/Keylogger (spyware, keylogger or form-grabber (capture user input
or activity))
23. SQL injection attack
24. Adminware (system or network utilities (e.g., PsTools, Netcat))
25. Worm (propagate to other systems or devices)
Incident Types Involving Hacking (based on VERIS with some modifications
78
77F
1. Abuse of functionality
2. Brute force or password guessing attacks
3. Buffer overflow
4. Cache poisoning
5. Session prediction: Credential or session prediction
6. CSRF: Cross-site request forgery
7. XSS: Cross-site scripting
8. Cryptanalysis
9. DoS: Denial of service
10. Foot-printing and fingerprinting
11. Forced browsing or predictable resource location
12. Format string attack
13. Fuzz testing
14. HTTP request smuggling
15. HTTP request splitting
16. Integer overflows
17. LDAP injection
18. Mail command injection
19. MitM: Man-in-the-middle attack
20. Null byte injection
21. Offline cracking: Offline password or key cracking (e.g., rainbow tables,
Hashcat, JtR)
22. OS commanding
78
Enumerations (verisframework.org)
Page 100 of 120
):
DRAFT FOR PUBLIC COMMENT
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
23. Path traversal
24. RFI: Remote file inclusion
25. Reverse engineering
26. Routing detour
27. Session fixation
28. Session replay
29. Soap array abuse
30. Special element injection
31. SQL injection
32. SSI injection
33. URL redirector abuse
34. Use of backdoor or C2
35. Use of stolen creds
36. XML attribute blowup
37. XML entity expansion
38. XML external entities
39. XML injection
40. XPath injection
41. XQuery injection
42. Virtual machine escape
Incident Types Involving Social Engineering (based on VERIS with some
modifications
79
78F
):
1. Baiting (planting infected media)
2. Bribery or solicitation
3. Elicitation (subtle extraction of info through conversation)
4. Extortion or blackmail
5. Forgery or counterfeiting (fake hardware, software, documents, etc.)
6. Influence tactics (leveraging authority or obligation, framing, etc.)
7. Scam (online scam or hoax (e.g., scareware, 419 scam, auction fraud))
8. Phishing (or any type of *ishing)
9. Pretexting (dialogue leveraging invented scenario)
10. Propaganda or disinformation
11. Spam (unsolicited or undesired email and advertisements)
Incident Types Involving Misuse of Assets [sometimes called “Insider
Threats”] (based on VERIS with some modifications
79
80
80
79F
):
Enumerations (verisframework.org)
Enumerations (verisframework.org)
Page 101 of 120
DRAFT FOR PUBLIC COMMENT
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
1. Knowledge abuse: Abuse of private or entrusted knowledge
2. Privilege abuse: Abuse of system access privileges
3. Embezzlement, skimming, and related fraud
4. Data mishandling: Handling of data in an unapproved manner
5. Email misuse: Inappropriate use of email or IM
6. Net misuse: Inappropriate use of network or Web access
7. Illicit content: Storage or distribution of illicit content
8. Unapproved workaround or shortcut
9. Unapproved hardware: Use of unapproved hardware or devices
10. Unapproved software: Use of unapproved software or services
Incident Types Involving Physical Actions (based on VERIS with some
modifications
81
80F
):
1.
2.
3.
4.
5.
6.
7.
Assault (threats or acts of physical violence)
Sabotage (deliberate damaging or disabling)
Snooping (sneak about to gain info or access)
Surveillance (monitoring and observation)
Tampering (alter physical form or function)
Theft (taking assets without permission)
Wiretapping (Physical tap to comms line)
Incident Types Involving Human (or Technology) Errors (based on
VERIS with some modifications
82
81F
):
1. Classification error (classification or labeling error)
2. Data entry error
3. Disposal error
4. Gaffe (social or verbal slip)
5. Loss or misplacement
6. Maintenance error
7. Misconfiguration
8. Misdelivery (direct or deliver to wrong recipient)
9. Omission (something intended, but not done)
10. Physical accidents (e.g., drops, bumps, spills)
11. Capacity shortage (poor capacity planning)
12. Programming error (flaws or bugs in custom code)
13. Publishing error (private info to public doc or site)
14. Malfunction (technical malfunction or glitch)
81
82
Enumerations (verisframework.org)
Enumerations (verisframework.org)
Page 102 of 120
DRAFT FOR PUBLIC COMMENT
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
Incident Types Involving Environmental Factors (based on VERIS with
some modifications
83
82F
):
1. Deterioration and degradation
2. Earthquake
3. EMI: Electromagnetic interference (EMI)
4. ESD: Electrostatic discharge (ESD)
5. Temperature: Extreme temperature
6. Fire
7. Flood
8. Hazmat: Hazardous material
9. Humidity
10. Hurricane
11. Ice and snow
12. Landslide
13. Lightning
14. Meteorite
15. Particulates: Particulate matter (e.g., dust, smoke)
16. Pathogen
17. Power failure or fluctuation
18. Tornado
19. Tsunami
20. Vermin
21. Volcanic eruption
22. Leak: Water leak
23. Wind
y. Appendix 4: Critical Infrastructure Sectors and
Subsectors
3368
3369
Format of list is as follows:
3370
•
3371
3372
3373
3374
3375
3376
3377
3378
3379
•
•
83
Sector
o Subsector
Chemical
o Chemical manufacturing or processing plant
o Chemical transport
o Chemical storage warehousing and storage
o Chemical end user
o Regulatory, oversight, or industry organization
Commercial facilities
Enumerations (verisframework.org)
Page 103 of 120
DRAFT FOR PUBLIC COMMENT
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
•
•
•
•
•
•
o Entertainment and media
o Gaming
o Lodging
o Outdoor events
o Public assembly
o Real estate
o Retail
o Sports leagues
Communications
o Information services
o Telecommunications
o Regulatory, oversight, or industry organization
Critical Manufacturing
o Primary metal manufacturing
o Machinery manufacturing
o Electrical equipment, appliance, and component manufacturing
o Transportation manufacturing
o Non-critical manufacturing facility
Dams
o Dam project
o Dams control operations facility
o Levees and hurricane barriers
o Navigation locks
o Mine tailing and industrial waste impoundment
o Regulatory, oversight, or industry organization
Defense industrial base
o Defense manufacturing facility
o Defense research and development facility
o Defense logistics and asset management facility
o Defense industrial base administration and regulatory facility
Emergency services
o Law enforcement
o Fire and emergency services
o Emergency medical services
o Emergency management
o Public works
o Emergency communication
Energy
o Electricity
o Petroleum
o Natural gas
o Coal
o Ethanol
Page 104 of 120
DRAFT FOR PUBLIC COMMENT
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
•
•
•
•
•
•
o Biodiesel
o Hydrogen
Financial Services
o Banking and credit
o Securities, commodities, or financial investment
o Insurance company
Food and agriculture
o Supply
o Processing, packaging, and production
o Agriculture and food product storage and distribution warehouse
o Agriculture and food product transportation
o Agriculture and food product distribution
o Agriculture and food supporting facility
o Regulatory, oversight, or industry organization
Government facilities
o Elections facilities
o K-12 education facilities
o Government education facility
o Military facility
o National monument & icon
o Personnel-oriented government facility
o Service-oriented government facility
o Government sensor or monitoring facility
o Government space facility
o Government storage or preservation facility
Healthcare and public health
o Direct patient healthcare
o Health information technology
o Fatality/mortuary services
o Medical materials
o Laboratories, blood, and pharmaceuticals
o Public health services
o Healthcare educational facility
o Regulatory, oversight, or industry organization
Information technology
o Hardware production
o Software production
o Operational support service facility
o Internet-based content, information, and communications services
Nuclear reactors, materials, and waste
o Nuclear reactor facility
o Nuclear material processing and handling facility
o Nuclear waste facility
Page 105 of 120
DRAFT FOR PUBLIC COMMENT
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
•
•
Transportation systems
o Aviation
o Maritime
o Freight rail
o Highway and motor carrier
o Pipeline
o Postal and shipping
o Mass transit
Water and wastewater systems
o Drinking water
o Wastewater
o Regulatory, oversight, or industry organization
3478
Page 106 of 120
DRAFT FOR PUBLIC COMMENT
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
z. Appendix 5: Federal Agencies and Sub-Agencies
Format of list is as follows:
•
Agency
o Sub-agency
List
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Advisory Council on Historic Preservation (ACHP)
African Development Foundation (ADF)
American Battle Monuments Commission (ABMC)
Appalachian Regional Commission (ARC)
Armed Forces Retirement Home
Broadcasting Board of Governors (BBG)
o International Broadcasting Bureau
Central Intelligence Agency (CIA)
Chemical Safety and Hazard Investigation Board (CSHIB)
Commission of Fine Arts (CFA)
Commission on Civil Rights (CCR)
Commodity Futures Trading Commission (CFTC)
Congressional Budget Office
Consumer Financial Protection Bureau (CFPB)
Consumer Product Safety Commission (CPSC)
Corporation for National and Community Service (CNCS)
o Office of Information Technology
Court Services and Offender Supervision Agency (CSOSA)
Defense Nuclear Facilities Safety Board (DNFSB)
Delaware River Basin Commission (DRBC)
Department of Agriculture (USDA)
o Agricultural Marketing Service (AMS)
o Agricultural Research Service
o Animal & Plant Health Inspection Service
o Assistant Secretary for Administration
o Assistant Secretary for Congressional Relations
o Chief Financial Officer
o Chief Information Officer (CIO)
o Cooperative State Research, Education, and Extension Service
o Departmental Administration
o Director of Communications
o Economic Research Service
o Executive Operations
o Farm Service Agency
o Food and Nutrition Service
Page 107 of 120
DRAFT FOR PUBLIC COMMENT
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
•
o Food Safety Inspection Service
o Foreign Agricultural Service (FAS)
o Forest Service
o General Counsel
o Grain Inspection, Packers and Stockyard Administration
o Hawaii Agricultural Research Center
o Information Technology Services (ITS)
o Inspector General
o National Agricultural Library
o National Agriculture Statistics Service
o National Finance Center (NFC)
o Natural Resources Conservation Service
o Office of Communication
o Office of the Secretary
o Research, Economics & Education
o Risk Management
o Rural Development
o Telecommunications Services and Operations (TSO)
o Under Secretary for Farm and Foreign Agricultural Services
o Under Secretary for Food Nutrition and Consumer Services
o Under Secretary for Food Safety
o Under Secretary for Marketing and Regulatory Programs
o Under Secretary for Natural Resources and Environment
o Under Secretary for Research Education and Economics
o Under Secretary for Rural Development
Department of Commerce (DOC)
o Bureau of Economic Analysis (BEA)
o Bureau of Export Administration
o Bureau of Industry and Security
o Bureau of the Census
o Chief Information Officer (CIO)
o DOC-CIRT
o Economic Development Administration
o Economics and Statistics Administration
o FEDWorld
o International Trade Administration (ITA)
o Minority Business Development Agency
o National Institute of Standards & Technology (NIST)
o National Marine Fisheries Service (NMFS)
o National Ocean Service
o National Oceanic & Atmospheric Administration (NOAA)
o National Technical Information Service (NTIS)
o National Telecommunications & Information Administration
Page 108 of 120
DRAFT FOR PUBLIC COMMENT
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
•
•
•
o National Weather Service
o Office of Inspector General
o Office of the Secretary
o Patent and Trademark Office
o Technology Administration
o U.S. Patent and Trademark Office
Department of Defense (DOD)
o Air Force (USAF)
o American Forces Press Service
o Army (USA)
o Chief Information Officer (CIO)
o Defense Commissary Agency
o Defense Contract and Audit Agency (DCAA)
o Defense Finance and Accounting Service (DFAS)
o Defense Information Systems Agency (DISA)
o Defense Intelligence Agency (DIA)
o Defense Logistics Agency (DLA)
o Defense Security Service
o Defense Technical Information Center (DTIC)
o Joint Chiefs of Staff (JCS)
o Joint Task Force-Global Network Operations (JTF-GNO)
o Marine Corps (USMC)
o Missile Defense Agency (MDA)
o National Guard
o National Security Agency (NSA)
o Navy (USN)
Department of Education (EDUC)
o Chief Information Officer (CIO)
o Educational Resources Information Center (ERIC)
o Federal Student Aid (FSA)
o National Library of Education (NLE)
o Office of Educational Technology
o Office of General Counsel
o Office of Inspector General
o Office of Intergovernmental and Interagency Affairs
o Office of Legislation and Congressional Affairs
o Office of Management
o Office of Public Affairs
o Office of the Chief Financial Officer
o Office of the Chief Information Officer
o Office of the Secretary
Department of Energy (DOE)
o Ames Laboratory
Page 109 of 120
DRAFT FOR PUBLIC COMMENT
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Argonne National Laboratory (ANL)
Assistant Secretary for Congressional and Intergovernmental
Assistant Secretary for Environment Safety and Health (ES&H)
Assistant Secretary for Environmental Management
Assistant Secretary for Fossil Energy
Assistant Secretary for Policy and International Affairs
Associate Administrator for Facilities and Operations
Associate Administrator for Management and Administration
Brookhaven National Lab
Chief Information Officer (CIO)
Computer Incident Advisory Capability (CIAC)
Defense Nuclear Facilities Safety Board Liaison
Deputy Administrator for Defense Nuclear Nonproliferation
Deputy Administrator for Defense Programs
Deputy Administrator for Naval Reactors
Energy Information Administration
Federal Energy Regulatory Commission
FermiLab
General Counsel
Idaho National Labs
Lawrence Berkeley National Laboratory
Lawrence Livermore National Laboratory
Los Alamos National Laboratory
Oak Ridge National Labs
Office of Civilian Radioactive Waste Management
Office of Counterintelligence
Office of Economic Impact and Diversity
Office of Emergency Operations
Office of Hearings and Appeals
Office of Independent Oversights and Performance Assurance
Office of Intelligence
Office of Management Budget and Evaluation/Chief Financial
Office of Nuclear Energy Science and Technology
Office of Public Affairs
Office of Science
Office of Security
Office of the Inspector General
Office of the Secretary
Office of Worker and Community Transition
Power Marketing Administrations
Secretary of Energy Advisory Board
Southwestern Power Administration
Under Secretary for Energy Science and Environment
Page 110 of 120
DRAFT FOR PUBLIC COMMENT
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
•
•
•
o Under Secretary for Nuclear Security
Department of Health and Human Services (HHS)
o Administration for Children and Families
o Administration on Aging
o Agency for Healthcare Research and Quality (AHCRQ)
o Agency for Toxic Substances and Disease Registry
o Centers for Disease Control and Prevention (CDC)
o Centers for Medicare and Medicaid Services (CMS)
o Chief Information Officer (CIO)
o Financial Management Systems
o Food and Drug Administration (FDA)
o Health Resources and Services Administration
o Indian Health Service
o National Institutes of Health (NIH)
o Office of Inspector General
o Office of the Secretary
o Program Support Center
o Secure One Communications Center (SOCC)
o Substance Abuse and Mental Health Services Administration
Department of Homeland Security (DHS)
o Bureau of Citizenship and Immigration Services
o Chief Information Officer (CIO)
o Cybersecurity and Infrastructure Security Agency (CISA)
o CSIRC
o Customs & Border Protection
o Federal Emergency Management Agency (FEMA)
o Federal Law Enforcement Training Center
o Federal Protective Service (FPS)
o Headquarters
o HSOC
o Immigration and Customs Enforcement (ICE)
o Information Analysis Infrastructure Protection (IAIP)
o National Coordinating Center (NCC Watch)
o National Infrastructure Coordination Center (NICC)
o NCSD
o Office of Immigration Statistics
o Office of the Inspector General (OIG)
o Science and Technology Directorate
o Transportation Security Administration (TSA)
o United States Coast Guard
o United States Secret Service
Department of Housing and Urban Development (HUD)
o Administration
Page 111 of 120
DRAFT FOR PUBLIC COMMENT
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
•
o Chief Financial Officer
o Chief Information Officer (CIO)
o Chief Procurement Officer
o Community Planning and Development
o Congressional and Intergovernmental Relations
o Enforcement Center
o Federal Housing Enterprise Oversight
o General Counsel
o Government National Mortgage Association (Ginnie Mae)
o Housing and Urban Development Reading Room
o Inspector General
o Multifamily Housing Assistance Restructuring
o Office of Departmental Equal Employment Opportunity
o Office of Departmental Operations and Coordination
o Office of Healthy Homes and Lead Hazard Control
o Office of the Secretary
o Policy Development and Research
o Public Affairs
o Public and Indian Housing
o Real Estate Assessment Center
Department of Justice (DOJ)
o Antitrust Division (ATR)
o Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF)
o Civil Division
o Civil Rights Division
o Community Relations Service
o Criminal Division
o DOJCERT
o Drug Enforcement Agency (DEA)
o Environment and Natural Resources Division
o Executive Office for Immigration Review
o Executive Office for the U.S. Attorneys
o Executive Office for the U.S. Trustees
o Federal Bureau of Investigation (FBI)
o Federal Bureau of Prisons
o Inspector General
o Intelligence Policy and Review
o Intergovernmental Affairs
o Justice and Management Division
o Legal Counsel
o Legal Policy
o Legislative Affairs
o National Drug Intelligence Center (NDIC)
Page 112 of 120
DRAFT FOR PUBLIC COMMENT
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
•
•
o Office of Community Oriented Policing Services
o Office of Federal Detention Trustee (OFDT)
o Office of Information & Privacy (OIP)
o Office of Justice Programs (OJP)
o Office of Professional Responsibility (OPR)
o Office of the Associate Attorney General
o Office of the Attorney General
o Office of the Deputy Attorney General
o Office of the Pardon Attorney
o Office of the Solicitor General
o Public Affairs
o Tax Division
o U.S. National Central Bureau - INTERPOL (USNCB)
o U.S. Parole Commission
o U.S. Trustee Program (USTP)
o United States Marshals Service (USMS)
Department of Labor (DOL)
o Administration Review Boards (ARB)
o Benefits Review Board (BRB)
o Bureau of International Labor Affairs (ILAB)
o Bureau of Labor Statistics (BLS)
o Center for Faith-Based and Community Initiatives
o Employee Benefit Securities Administrations (EBSA)
o Employee's Compensation Appeals Board (ECAB)
o Employment Standards Administration (ESA)
o Employment Training Administration (ETA)
o Mine Safety Health Administration (MSHA)
o National Mine Health and Safety Academy
o Office of Congressional and Intergovernmental Affairs
o Office of Disability Employment Policy (ODEP)
o Office of Job Corps (OJC)
o Office of Public Affairs (OPA)
o Office of Safety and Health Administration (OSHA)
o Office of Small Business Programs (OSBP)
o Office of the Administrative Law Justices (ALJ)
o Office of the Assistant Secretary for Policy (OASP)
o Office of the Chief Financial Officer (OCFO)
o Office of the Inspector General (OIG)
o Office of the Secretary (OSEC)
o Office of the Solicitor of Labor (SOL)
o Veterans Employment and Training Service (VETS)
o Women's Bureau (WB)
Department of State (DOS)
Page 113 of 120
DRAFT FOR PUBLIC COMMENT
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
•
o Agricultural Economics and Business Affairs
o Appellate Review Board
o Board of the Foreign Service
o Bureau of Diplomatic Security
o Chief Information Officer (CIO)
o Commissions
o Coordinator for Counterterrorism
o Counselor of the Department
o Country Officers
o Democracy Human Rights and Labor Bureau
o Department of State Library
o Deputy Secretary
o Examiners for the Foreign Service
o Executive Secretariat
o Foreign Service Grievance Board
o Historian
o Intelligence and Research
o Legal Adviser
o Legislative Affairs
o NATO (North Atlantic Treaty Organization)
o Office of the Secretary
o Office of the United Nations Ambassador
o Policy Planning Staff
o Under Secretary for Arms Control and International Security
o Under Secretary for Global Affairs
o Under Secretary for Management
o Under Secretary for Political Affairs
o Under Secretary for Public Diplomacy and Public Affairs
o United National Political Affairs
Department of the Interior (DOI)
o Bureau of Indian Affairs
o Bureau of Land Management
o Bureau of Reclamation
o Chief Information Officer (CIO)
o DOI CIRC
o Fish and Wildlife Service
o Minerals Management Service
o National Business Center
o National Park Service
o Office of Hearings and Appeals
o Office of Surface Mining
o Office of the Inspector General
o Office of the Secretary
Page 114 of 120
DRAFT FOR PUBLIC COMMENT
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
•
•
•
o US Geological Survey
Department of the Treasury
o Alcohol and Tobacco Tax and Trade Bureau (TTB)
o Bureau of Alcohol Tobacco and Firearms (ATF)
o Bureau of Engraving and Printing
o Bureau of the Fiscal Service (BFS)
o Chief Information Officer (CIO)
o Comptroller of the Currency
o Executive Office for Asset Forfeiture
o Federal Law Enforcement Training Center
o Financial Crimes Enforcement Network
o Internal Revenue Service (IRS)
o Office of the Comptroller of the Currency
o Office of the Inspector General
o Office of the Secretary
o Office of Thrift Supervision (OTS)
o TCSIRC
o Treasury Headquarters (Treas-HQ)
o United States Customs Services
o United States Mint
o US Federal Civilian Agency
Department of Transportation (DOT)
o Bureau of Transportation Statistics
o Chief Information Officer (CIO)
o Federal Aviation Administration (FAA)
o Federal Highway Administration
o Federal Motor Carrier Safety Administration
o Federal Railroad Administration
o Federal Transit Administration
o Maritime Administration
o National Highway Traffic Safety Administration
o Office of the Inspector General
o Office of the Secretary
o Research and Special Programs Administration
o Saint Lawrence Seaway Development Corporation
o Surface Transportation Board
o Transportation Administrative Services Center
o Transportation CIRC (TCIRC)
Department of Veterans Affairs
o Acquisition and Material Management
o Acute Care Strategic Healthcare Group
o Administration and Human Resources
o Allied Clinical Services Strategic Healthcare Group
Page 115 of 120
DRAFT FOR PUBLIC COMMENT
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
•
o Audit
o Austin Automation Center
o Board of Contract Appeals
o Board of Veterans' Appeals
o Budget
o Chief Information Officer (CIO)
o Congressional and Legislative Affairs
o Deputy Secretary
o Disadvantaged and Small Business Utilization
o Diversity Management and Equal Employment Opportunity
o Emergency Management Strategic Healthcare Group
o Employee Education
o Facilities Management
o Facilities Service
o General Counsel
o Geriatrics and Extended Care Strategic Healthcare Group
o Information and Technology
o Inspector General
o Intergovernmental and Public Affairs
o Law Enforcement and Security
o Litigation Docket
o Management
o National Cemetery Administration
o Nursing Strategic Healthcare Group
o Office of Dentistry
o Office of Investigations
o Office of the Secretary
o Patient Care Services
o Planning and Elution
o Planning and Policy
o Policy Office
o Primary and Ambulatory Care Strategic Healthcare Group
o Quality and Performance Office
o Readjustment Counseling Service
o Rehabilitation Strategic Healthcare Group
o Research and Development
o Support Service
o Telecommunications
o VACIRC
o VASOC
o Veterans Benefits Administration
o Veterans Health Administration
Environmental Protection Agency (EPA)
Page 116 of 120
DRAFT FOR PUBLIC COMMENT
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Equal Employment Opportunity Commission (EEOC)
Executive Office of the President (EOP)
o Office of Management and Budget (OMB)
o United States Trade Representative (USTR)
o White House
Export-Import Bank of the United States (EIIM)
Fannie Mae (FNMA)
Farm Credit Administration (FCA)
Federal Accounting Standards Advisory Board (FASAB)
Federal Communications Commission (FCC)
Federal Deposit Insurance Corporation (FDIC)
Federal Election Commission (FEC)
Federal Energy Regulatory Commission (FERC)
Federal Housing Finance Agency (FHFA)
Federal Judiciary
o Administrative Office of the United States Courts
Federal Labor Relations Authority (FLRA)
Federal Maritime Commission (FMC)
Federal Mediation and Conciliation Service (FMCS)
Federal Mine Safety and Health Review Commission (FMSHRC)
Federal Reserve System (FRS)
o Board of Governors
Federal Retirement Thrift Investment Board (FRTIB)
o Thrift Savings Plan
Federal Trade Commission (FTC)
Freddie Mac (FHLMC)
General Services Administration (GSA)
Government Printing Office
Harry S Truman Scholarship Foundation (HTSF)
Holocaust Memorial Council (HMC)
House of Representatives
Independent Agencies
o United States Consumer Product Safety Commission (CPSC)
Institute of Museum and Library Services (IMLS)
Institute of Peace United States (USIP)
Inter-American Foundation (IAF)
International Boundary and Water Commission
International Broadcasting Bureau (IBB)
International Trade Commission (ITC)
ISAC
o Airport
Page 117 of 120
DRAFT FOR PUBLIC COMMENT
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
•
•
•
•
•
•
•
•
•
•
•
o Chemical
o Electricity
o Emergency Fire Services
o Energy
o Financial Services (FS)
o Food and Agriculture
o Information Technology (IT)
o Maritime
o Multi-State (MS)
o National Monuments and Icons
o Postal and Shipping
o Public Health
o Real Estate
o Research and Education
o State CIO
o Surface Transportation
o Telecom
o Trucking
o Water
James Madison Memorial Fellowship Foundation (JMMFF)
Japan - United States Friendship Commission (JUSFC)
Javits-Wagner-O'Day Program (JWOD)
Legal Services Command (LSC)
Library of Congress
Marine Mammal Commission (MMC)
Merit Systems Protection Board (MSPB)
Millennium Challenge Corporation (MCC)
National Aeronautics and Space Administration (NASA)
o Ames Research Center (ARC)
o Chief Information Officer (CIO)
o Glenn Research Center (GRC)
o Goddard Space Flight Center (GSFC)
o Jet Propulsion Laboratories (JPL)
o Johnson Space Center (JSC)
o Kennedy Space Flight Center (KSFC)
o Langley Research Center (LRC)
o Marshall Space Flight Center (MSFC)
o NASIRC
o Stennis Space Center
o Wallops Flight Facility (WFF)
National Archives and Records Administration (NARA)
National Capital Planning Commission (NCPC)
Page 118 of 120
DRAFT FOR PUBLIC COMMENT
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
National Council on Disability (NCD)
National Credit Union Administration (NCUA)
National Endowment for the Arts
National Endowment for the Humanities
National Foundation on the Arts and the Humanities (NFAH)
National Gallery of Arts (NGA)
National Indian Gaming Commission (NIGC)
National Institute for Literacy
National Labor Relations Board (NLRB)
National Mediation Board (NMB)
National Railroad Passenger Corporation (AMTRAK)
National Science Foundation (NSF)
o US Climate Change Science Program (USGCRP)
National Transportation Safety Board (NTSB)
Neighborhood Reinvestment Corporation (NBRC)
Nuclear Regulatory Commission (NRC)
Nuclear Waste Technical Review Board United States (NWTRB)
Occupational Safety and Health Administration (OSHA)
Occupational Safety and Health Review Commission (OSHRC)
Office of Federal Housing Enterprise Oversight (OFHEO)
Office of Government Ethics (OGE)
Office of Navajo & Hopi Indian Relocation
Office of Personnel Management
Office of Special Counsel (OSC)
Office of the Director of National Intelligence (ODNI)
o Information Sharing Environment (ISE)
o Intelligence Advanced Research Projects Activity (IARPA)
o National Counterproliferation Center (NCPC)
o National Counterterrorism Center (NCTC)
o National Intelligence Council (NIC)
o Office of the National Counterintelligence Executive (ONCIX)
Open Source Information System (OSIS)
Peace Corps (PC)
Pension Benefit Guaranty Corporation (PBGC)
Postal Rate Commission (PRC)
Railroad Retirement Board (RRB)
Recovery Accountability and Transparency Board
Securities and Exchange Commission (SEC)
Selective Service System (SSS)
Small Business Administration (SBA)
Smithsonian Institute (SI)
Page 119 of 120
DRAFT FOR PUBLIC COMMENT
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Social Security Administration (SSA)
State Justice Institute (SJI)
Susquehanna River Basin Commission (SRBC)
Tennessee Valley Authority (TVA)
U.S. International Development Finance Corporation (DFC)
U.S. Senate
U.S. Trade and Development Agency (TDA)
United States Agency for International Development (USAID)
United States Arms Control and Disarmament Agency (ACDA)
United States Congress
o Government Accountability Office (GAO)
United States International Trade Commission (USITC)
United States Postal Service (USPS)
United States Trade and Development Agency
US-China Economic and Security Review Commission (USCC)
Voice of America (VOA)
Privacy Act Statement
Incident Reporting Form 2.0
Authority: 44 U.S.C. § 3101 & 3556, and6 U.S.C. § 659(c)(1), (3), (9) authorize the collection of this
information.
Purpose: The primary purpose for the collection of this information is to allow the Cybersecurity and
Infrastructure Security Agency (CISA) to contact you about your request.
Routine Uses: The information collected may be disclosed as generally permitted under 5 U.S.C. §
552a(b) of the Privacy Act of 1974, as amended. This includes using the information as necessary
and authorized by the routine uses published in DHS/ALL-002 - Department of Homeland Security
(DHS) Mailing and Other Lists System November 25, 2008, 73 FR 71659.
Disclosure: Some entities are regulatorily or statutorily required to submit incident reports to CISA,
and those entities must provide information in this form as required by applicable statute, regulation,
or similar mandate. Failure to provide this information may result in inaccurate record keeping of the
entity’s compliance. For non-mandatory incident reporting, providing this information is voluntary.
However, failure to provide this information will prevent CISA from contacting you in the event
there are questions about your report.
Paperwork Burden Notice:
The public reporting burden to complete this information collection is estimated at 60 minutes per
form response, including the time for reviewing instructions, searching existing data sources,
gathering and maintaining the data needed, and the completing and reviewing the collected
information. The collection of information is voluntary. An agency may not conduct or sponsor, and
a person is not required to respond to a collection of information unless it displays a currently valid
OMB control number and expiration date. Send comments regarding this burden estimate or any
other aspect of this collection of information, including suggestions for reducing this burden to DHS/
CISA/CSD, 245 Murray Lane, SW, Mail Stop 0640, Arlington, VA 20598-0640 ATTN: PRA [OMB
Control No. 1670-00XX].
Page 120 of 120