As if the CFATS program did not have enough problems, today CISA announced that there was a cybersecurity breach of their Chemical Security Assessment Tool (CSAT) in January of this year. The notice states that:
“While CISA’s investigation found no evidence of exfiltration of data, this intrusion may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts.”
CISA has directly contacted individuals with CSAT accounts to notify them of the breach.
CISA has scheduled two webinars to discuss the breach, its potential consequences, and actions facilities should take as a consequence of the breach. Webinars will be held on June 24th, 2024 and July 9th, 2024 (links are to registration pages).
There is an interesting notification problem associated with this potential breach, there is a possibility that that individuals who had been vetted via the CFATS personnel surety tool may have had their data exposed during the breach. CISA does not have access to the contact information for these individuals so cannot make the necessary breach notifications. CISA thus notes that:
“CISA is thereby requesting, on a voluntary basis, that facilities that received the CSAT Ivanti Notification Letter notify individuals submitted by that facility for vetting under the CFATS Personnel Surety Program of this incident. Download a template letter that facilities can use to notify personnel. Alternatively, should facilities decline to notify these individuals, CISA requests that facilities provide CISA with the contact information for individuals submitted under the CFATS Personnel Surety Program on a voluntary basis so that CISA can notify impacted individuals. Facilities can send contact information for personnel that had Personally Identifiable Information (PII) submitted for vetting under CFATS Personnel Surety Program to CFATS.Notifications@cisa.dhs.gov.”
The announcement has a brief frequently asked question section that addresses the following questions:
• How was this
compromise identified?
• What actions did
CISA take to address the compromise?
• If CISA does not
have any evidence of data exfiltration, why are notifications being sent?
• Where can I get
more information on this cybersecurity incident?
• As a facility
official, who do I contact if I have more questions about this incident?
• As a potentially
impacted individual, who do I contact if I have more questions?
• Who is eligible
for identity protection based on this compromise?
• How do I apply for
identity protection?
• Why is identity
protection not available to me?
• What data was
collected in the CFATS Top-Screen survey?
• What data was
collected in the Security Vulnerability Assessment (SVA)?
• What data was
collected in the Site Security Plan/Alternative Security Program (SSP/ASP)?
• What data was
collected in the Personnel Surety Program?
Posts
No comments:
Post a Comment