The Computer Security Incident Response Center Is Preventing, Detecting, Reporting, and Responding to Incidents, but Improvements Are Needed

The Chief Information Officer should ensure that the CSIRC corrects the reporting inconsistency by reporting the remaining cell phone that contained PII to the Incident Management and Employee Protection office, and correct the missing or incomplete documentation indicating the actions to halt the spread of, limit the damage caused by the incident, and, when applicable, document the effectiveness of the containment actions for the eight incidents.

The Chief Information Officer should ensure that the costs of handling and responding to an incident are captured for the purposes outlined in the NIST Special Publication 800-61, Computer Security Incident Handling Guide.

The Chief Information Officer should ensure that CSIRC employees and contractors are FISMA compliant with the specialized security training requirement during the FISMA annual cycle. In addition, contractor training documentation should include the number of hours trained, which would assist in determining whether the required number of hours had been completed.

The Chief Information Officer should ensure that system owners remove CSIRC contractors' access privileges to IRS systems when they are noncompliant with FISMA training requirements.

The Chief Information Officer should ensure that CSIRC employees receive the necessary specialized security training to reduce the skills gap and become more proficient toward levels 4 and 5. In addition, consider specialized security training for all first responders that promotes current, real life cyberattack situations and technology exercises, which includes those locations where the training cannot be obtained elsewhere.