Cybersecurity Incident Reporting Requirements for Local Governments

Revision History:

Date Issued: 10/01/2022
Version 1.0
Approved by Chip Stewart, State Chief Information Security Officer

Introduction

Pursuant to the requirements of Md. Code, Public Safety Article § 14-104.1 (c)(2) and Md. Code, State Finance & Procurement Article § 3.5-406(b)(2) the State Chief Information Security Officer (SCISO) must establish criteria for local government reporting of cybersecurity incidents.

The law compels the SCISO to set criteria for:

When a cybersecurity incident must be reported;
The manner in which to report; and
The time period within which a report must be made to:

The Maryland Security Operations Center (MD-SOC)
The appropriate (appointed) Local Emergency Manager (ALEM)
The Maryland Joint Operations Center (MJOC)

Local governments include, not by way of limitation, counties, municipalities, local school systems, local school boards, and local health departments.

Cybersecurity incidents are generally defined as an event that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.1

The Office of Security Management uses the MITRE ATT&CK2 Framework to support consistent description of, and communication regarding, the tactics, techniques, and software that are used by threat actors to achieve their objectives. For clarity, MITRE ATT&CK tactics and techniques will be displayed in ”bold” and within double quotations throughout this document.

Nothing within this document should be construed as a prohibition against, or discouragement of, reporting potential or suspected cybersecurity incidents, regardless of whether they meet the thresholds described below.

Even when not compulsory, voluntary reporting of cybersecurity incident is encouraged

The MD-SOC, the Maryland-Information Sharing and Analysis Center (MD-ISAC), and the MJOC are available 24/7/365 to aid in identifying cybersecurity incidents and ensuring that resources are available to minimize the impact of cybersecurity incidents.

Reporting Criteria

Local governments must report any cybersecurity incident that results in:

“Impact”, such as:

The potential of, or confirmed, unauthorized modification or deletion of data, regardless of whether the organization was able to recover or restore data.
The disruption of a business function resulting from a denial-of-service attack.

“Exfiltration”, including:

Unauthorized access to, or acquisition of, non-public data, regardless of whether the “Exfiltration” can be confirmed or is merely suspected.
“Exfiltration” includes the identification of non-public data attributable to your organization in a forum (e.g., pastebin, darkweb) inconsistent with the expected handling of that data.

Additionally, local governments must report the discovery or detection of:

Techniques and software similar to those described in the MITRE ATT&CK Framework “Command and Control” tactic, regardless of whether the source or nature of the “Command and Control” activity can be correlated to related ATT&CK phases or other potentially malicious activity.
Direct or circumstantial evidence indicating a threat actor is engaged in the “Collection” tactic, such as:

Collections of non-public files stored in a manner inconsistent with normal operations.

Techniques, software, activity, logs, files, or other artifacts that would indicate unauthorized behavior consistent with the following tactics:

“Persistence”
“Lateral Movement”
“Discovery”
“Credential Access”
“Defense Evasion”
“Privilege Escalation”

Techniques, software, logs, files, or other artifacts consistent with the “Execution” tactic, unless there is a reasonable assurance that protective controls were successful in preventing the attempted attack from progressing to a subsequent tactic.
Techniques, software, logs, files, or other artifacts consistent with the “Initial Access” tactic, unless there is a reasonable assurance that protective controls were successful in preventing the attempted attack from progressing to a subsequent tactic.

The SCISO encourages organizations to report activity, including Indicators of Attack (IOAs) and Indicators of Compromise (IOCs) to the MD-ISAC that are associated with the “Reconnaissance,” “Resource Development,” “Initial Access,” and “Execution” tactics, because this information can help to protect other organizations.

Manner of Reporting

Cybersecurity incidents must be reported to the following, in the following ways:

The jurisdiction’s appointed Local Emergency Manager (ALEM) in a manner prescribed by the ALEM and reaffirmed at least annually by both the ALEM and the local government.
State Security Operations Center (MD-SOC) by either (in order of preference):

Using the incident reporting form at https://doitmaryland.service-now.com/cybersecurityincident/
Sending an email with the information below to [email protected]
Calling the Service Desk at 410-697-9700

The Maryland Joint Operations Center (MJOC), through the ALEM, by calling 410-517-3660 or emailing [email protected]

Reports should include, at a minimum, the following information:

Organization Name
Reporter’s name and title, email address, mobile and office phone numbers
Date and time of incident detection
How was it detected; observations of what happened/is happening
Whether the incident is confirmed or suspected
If the cybersecurity incident is ongoing
If any life-safety or critical infrastructure systems are impacted or suspected to be impacted
A brief description of the business impact of the event.
Whether the organization is requesting assistance, and the nature of the assistance requested.
What, if any, action has been taken
Who has been notified
Any additional information material to the incident response

Timing of Reporting

Reports to the MD-SOC must be made as soon as practicable, but not later than one (1) hour after confirmation of a detected cybersecurity incident. If an organization is unsure whether an event constitutes a reportable cybersecurity incident and is actively investigating the circumstances, it may delay reporting for up to (3) hours from initial detection while working to

conclusively determine whether a reportable cybersecurity incident occurred, for a total of four (4) hours between detection and reporting. If, during the course of its investigation, the organization confirms that a reportable cybersecurity incident occurred, it must immediately report the incident to the MD-SOC. Generally, you should not wait for absolute confirmation that a cybersecurity incident has occurred before reporting because any delay may affect the ability to take preventative and remedial measures to protect information or reduce the risk of harm.

Disclosure of cybersecurity incident reports

Consistent with the guidelines established in the “Guidelines for the Public Reporting of Cybersecurity Incidents,” the State Chief Information Security Officer may publish a public notice of the cybersecurity incident if the incident meets the criteria and thresholds established in that document.

Consistent with the requirements described in Md. Code, State Fin. & Proc. § 3.5-2A-04, the Office of Security Management (OSM) must develop a report on the activities of the Office and the state of cybersecurity preparedness in Maryland, including “the activities and accomplishments of the Office during the previous 12 months at the State and local levels.” This report may include high-level details about the incident, regardless of whether the incident met the thresholds and criteria described in the “Guidelines for the Public Reporting of Cybersecurity Incidents.” Additionally, aggregate data regarding incidents may be shared.

Consistent with the limitations established in MD Gen Provisions Code § 4-338, the OSM must deny requests to inspect records related to incident reports when they contain information about the security of an information system. Because incident reports would necessarily contain information about system vulnerabilities, the OSM will deny requests to inspect these records.

Consistent with the requirements established in Md. Code, State Gov't § 2-1226, information obtained by the Office of Legislative Audits (OLA) is generally protected from disclosure. Additionally, if the information obtained will be included in a public audit report, per the

requirements described in Md. Code, State Gov't § 2-1224, cybersecurity findings must be redacted from the public report in a manner consistent with auditing best practices.

Appendix A - Examples of Incidents

Scenario 1 - Phishing

A user receives an email indicating that their email password is about to expire and clicks on the link to reset their password. After clicking the link, they enter their username and password but the website tells them to try again later. They recognize that they were likely the victim of a phishing attack and report the incident to the service desk, who resets their password, but not

before the threat actor unsuccessfully attempts to log into the email service.

The organization is not required to report this incident. While the user was successfully phished, the credentials were changed before the threat actor could gain access. The organization should consider contributing to the collective defense of the State by providing the

following IOAs and IOCs to the MD-ISAC:

From the email:

Sender email address
Message Contents
Full Message Headers

From the phishing website

URL (website name)
IP addresses associated with the website
Contents of the website, including file hashes

From the Attempted login

IP address used for the attempt to gain unauthorized access

Scenario 2 - Potential evidence of compromise

While conducting troubleshooting of the antivirus service, the IT manager notices a file named mimikatz.exe on the server desktop. Neither the IT manager nor the server administrator is aware of how the file was placed on the system. The IT manager immediately disconnects the computer from the network and confirms that the file does not exist on any of the organization’s other computers. No logs indicate unusual behavior, nor was any other suspicious activity detected.

The organization is required to report this incident. The presence of the mimikatz executable is inconsistent with normal IT operations and likely indicates unauthorized activity consistent with “Credential Access.”

Appendix B – Clarification on Specific Cases

Municipal Governments

Municipal Governments are defined in Maryland law as local governments, and therefore, they (along with the offices, departments, and other organizations established within and outside of their charter) must report cybersecurity incidents using the mechanisms described within this document.

Local Health Departments

While local health departments (LHDs) are generally considered instruments of the State government, Md. Code, Pub. Safety § 14-104.1(2) defines a "Local government" to include local school systems, local school boards, and local health departments.” Some LHDs operate their information technology (IT) systems independently, while others rely on the Maryland Department of Health (MDH) for their IT needs. Operationally, LHDs that rely on MDH for IT services are using the MDH IT systems, not their own.

Given this, LHDs that operate their own IT systems must report using the mechanisms described within this document. LHDs that rely on MDH for IT services should report incidents to MDH in alignment with MDH’s organizational policies and procedures. MDH must then report the incident to using the mechanisms described in the “Cybersecurity Incident Reporting Requirements for State Government” document.

School Boards

While school boards are generally considered instruments of the State government, Md. Code, Pub. Safety § 14-104.1(2) defines a "Local government" to include local school systems, local school boards, and local health departments.” Given this, school boards must report using the mechanisms described within this document.

Public School Systems

Public School systems are considered instruments of their respective county government. Further, MD. Code, Pub. Safety § 14-104.1(2) defines a "Local government" to include local school systems, local school boards, and local health departments.” Given this, school systems must report using the mechanisms described within this document.

Public Charter Schools

The Maryland Public Charter School Program was “establish[ed] [as] an alternative means within the existing public school system in order to provide innovative learning opportunities and creative educational approaches to improve the education of students. As such, a public charter school is part of their jurisdiction’s local school system and, for the reasons given above public charter schools must report using the mechanisms described within this document.

Private School Systems

Private Schools are not instruments of the State or County governments, and therefore are not subject to the requirements established in this document. Private Schools are strongly encouraged to report cybersecurity incidents to the Maryland Coordination and Analysis Center by emailing them at [email protected] or calling 1-800-492-TIPS (8477).

Public Libraries

Public Libraries in Maryland established under MD. Code, Educ. § 23-401(a) are instruments of the county government, and therefore must report using the mechanisms described within this

document.

Paid Fire Departments

Paid Fire Departments within counties are established within their respective County codes as instruments of the County governments. Therefore County-run fire departments must report using the mechanisms described within this document. This is a requirement, regardless of whether they use a network provided by the political subdivision that oversees its operation.

Volunteer Fire Departments

Volunteer Fire Departments are customarily established as non-profit private entities, and therefore are not subject to the requirements established in this document. Volunteer Fire Departments are strongly encouraged to report cybersecurity incidents to the Maryland Coordination and Analysis Center by emailing them at [email protected] or calling

1-800-492-TIPS (8477).

Police Departments and other law enforcement entities

Police Departments within counties and cities are established within their respective County and City codes as instruments of those subdivisions of governments. Therefore police, sheriff and other law enforcement entities must report using the mechanisms described within this document. This is a requirement, regardless of whether they use network connectivity provided by the political subdivision that oversees its operation.