Beginning in Release 2.6, OpenFISMA includes an Incident Response module.

While there are other applications (both commercial and open source) which provide IR functionality, the module in OpenFISMA is the only one that is both open source and tailored to U.S. government requirements. The module is based on NIST Guidance (SP 800-61: Computer Security Incident Handling Guide) as well as US-CERT reporting requirements. For federal agencies, this means that OpenFISMA is now a turn-key solution for setting up a centralized Computer Incident Response Capability (CIRC) that meets all federal criteria.

Incident Response Categorize Screen

The IR module includes great metadata right out of the box to help agencies get up and running quickly. For example, when a new incident report is reviewed, the reviewer has the option to categorize the incident type and open a new workflow for the incident.

The screenshot to the left shows the numerous incident category types that are pre-defined within OpenFISMA. These pre-defined types are based exactly on NIST guidance for IR. Notice that each of these is also grouped under a reporting category, such as CAT1, CAT2, etc. By selecting an incident category, the user immediately assigns the reporting timeframe and workflow steps, with no additional effort.

And of course, OpenFISMA provides a graphical interface for configuring new incident types, so the agency can add additional types or tweak the pre-defined ones.

Once the incident has been categorized, a workflow is dispatched for that incident report. The workflow is selected automatically based on the incident category. All of the default workflows are straight out of the NIST guidance, and just like the categories, existing workflows can be modified and new workflows can be added with ease.

Incident Response WorkflowThe workflow consists of multiple steps. Each step can optionally be associated with a particular role, so that only specific, privileged users can complete those workflow steps. Each step will generate instant e-mail notifications to each user involved in working the incident response process, so that all users are constantly kept up-to-date on incident status.

The centralized incident report page also offers a discussion area where users can ask questions and post answers to get specific details about the incident, as well as a file upload area where artifacts can be attached directly to the incident report. These features expedite communication across the disparate groups involved int he incident response process (such as the inspector general, the system security officer, the privacy incident response team (PIRT), the help desk, and/or the data forensics team). Additionally, the system provides a permanent record of all activity associated with a particular incident for audit and review purposes.

Finally, the IR module provides some new dashboard and reporting features that currently are out of reach for most federal agency CIRCs. The dashboard automatically tracks the rates of incident reporting, resolution, and rejection, as well as the proportion of incident categories that the agency is facing. This dashboard is real-time, giving new possibilities for CIRC monitoring and oversight.Incident Response Dashboard

In conclusion, this new module can help agencies revamp their incident response capability, streamline it, and provide new oversight and reporting capabilities. As an OpenFISMA module, it is also free to license, use, and even modify. Give it a try on our online demo now!