In a substantial policy change, all suspected or verified security breaches involving personal data must now be reported within one hour of discovery, according to an OMB memo (PDF) released last week.
While the reporting policy used to be dependent on the type of incident and whether it had actually been confirmed, the new policy makes no such distinctions. Reporting within one hour to US-CERT, the US Computer Emergency Readiness Team, is required.
The memo, by Karen Evans, administrator of OMB's Office of E-Government and IT, also emphasizes the importance of security in agencies' IT work.
First, you must integrate security into and fund it over the lifecycle of each system undergoing development, modernization, or enhancement. Second, your steady-state system operations must meet existing security requirements before new funds are spent on system development, modernization or enhancement.