Thursday, June 20, 2024

CISA Announces CSAT Breach

As if the CFATS program did not have enough problems, today CISA announced that there was a cybersecurity breach of their Chemical Security Assessment Tool (CSAT) in January of this year. The notice states that:

“While CISA’s investigation found no evidence of exfiltration of data, this intrusion may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts.”

CISA has directly contacted individuals with CSAT accounts to notify them of the breach.

CISA has scheduled two webinars to discuss the breach, its potential consequences, and actions facilities should take as a consequence of the breach. Webinars will be held on June 24th, 2024 and July 9th, 2024 (links are to registration pages).

There is an interesting notification problem associated with this potential breach, there is a possibility that that individuals who had been vetted via the CFATS personnel surety tool may have had their data exposed during the breach. CISA does not have access to the contact information for these individuals so cannot make the necessary breach notifications. CISA thus notes that:

“CISA is thereby requesting, on a voluntary basis, that facilities that received the CSAT Ivanti Notification Letter notify individuals submitted by that facility for vetting under the CFATS Personnel Surety Program of this incident. Download a template letter that facilities can use to notify personnel. Alternatively, should facilities decline to notify these individuals, CISA requests that facilities provide CISA with the contact information for individuals submitted under the CFATS Personnel Surety Program on a voluntary basis so that CISA can notify impacted individuals. Facilities can send contact information for personnel that had Personally Identifiable Information (PII) submitted for vetting under CFATS Personnel Surety Program to CFATS.Notifications@cisa.dhs.gov.”

The announcement has a brief frequently asked question section that addresses the following questions:

• How was this compromise identified?

• What actions did CISA take to address the compromise?

• If CISA does not have any evidence of data exfiltration, why are notifications being sent?

• Where can I get more information on this cybersecurity incident?

• As a facility official, who do I contact if I have more questions about this incident?

• As a potentially impacted individual, who do I contact if I have more questions?

• Who is eligible for identity protection based on this compromise?

• How do I apply for identity protection?

• Why is identity protection not available to me?

• What data was collected in the CFATS Top-Screen survey?

• What data was collected in the Security Vulnerability Assessment (SVA)?

• What data was collected in the Site Security Plan/Alternative Security Program (SSP/ASP)?

• What data was collected in the Personnel Surety Program?


1 comment:

Jake Brodsky said...

This was first noted back on March 8th of this year. See https://therecord.media/cisa-takes-two-systems-offline-following-ivanti-compromise

I'm not intimately familiar with Recorded Future's reporting, so I can't say much about the accuracy or completeness of this report.

 
/* Use this with templates/template-twocol.html */