1. APPENDIX E: VULNERABILITY AND INCIDENT CATEGORIES
   1. Vulnerabilities:

APPENDIX E: VULNERABILITY AND INCIDENT CATEGORIES

CISA has adopted the following common set of terms to improve clarity for Federal Civilian Executive Branch (FCEB) agencies for reporting to and updating CISA.⁴⁰

Incident – Per the Federal Information Security Modernization Act of 2014 (FISMA), as codified at 44 U.S.C. § 3552(b)(2): An occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

Major Incident – Per the Office of Management and Budget (OMB) Memorandum M-20-04 or subsequent memo, a major incident is either:

1. Any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.⁴¹ Agencies should determine the level of impact of the incident by using the existing incident management process established in the National Institute of Standards and Technology (NIST) Special Publication (SP) 900-61 Revision 2, Computer Security Incident Handling Guide. or,

2. A breach that involves personally identifiable information (PII) that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. Major incident determination is required for breaches involving PII of 100,000 or more people.⁴²

Breach – Per OMB Memorandum M-17-12 or subsequent memo: The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for other than authorized purpose.

Event – Per NIST SP 900-61 Revision 2: An event is any observable occurrence in a system or network.

Vulnerabilities:

• Internal discovery of potential compromise leveraging a vulnerability

• Known exploitation of vulnerability (NVD tagged entries; wide-spread public reporting; viable proof-of-concept exploit released, etc.)

⁴⁰ CISA Federal Incident Reporting Requirements (draft)

⁴¹ Using the CISA Cyber Incident Scoring System, this includes Level 3 events (orange), defined as those that are “likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence”; Level 4 events (red), defined as those that are “likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties”; and Level 5 events (black), defined as those that “pose an imminent threat to the provision of wide scale critical infrastructure services, national government stability, or the lives of US persons.”

⁴² The analysis for reporting a major breach to Congress is distinct and separate from the assessment of the potential risk of harm to individuals resulting from a suspected or confirmed breach. When assessing the potential risk of harm to individuals, agencies should refer to 0MB M-17-12.

Table of Contents

• INTRODUCTION
• INCIDENT RESPONSE PLAYBOOK
• VULNERABILITY RESPONSE PLAYBOOK
• APPENDIX A - KEY TERMS
• APPENDIX B - INCIDENT RESPONSE CHECKLIST
• APPENDIX C - INCIDENT RESPONSE PREPARATION CHECKLIST
• APPENDIX E - VULNERABILITY AND INCIDENT CATEGORIES
• APPENDIX F - SOURCE TEXT
• APPENDIX G - WHOLE-OF-GOVERNMENT ROLES AND RESPONSIBILITIES