Voluntary Cyber Incident Reporting

About this Resource 

This page is designed to help entities that may be considering voluntarily reporting cyber incidents understand “who” CISA recommends report an incident, “why and when” CISA recommends they report, as well as “what and how to report.” 

CISA asks every organization and entity that experiences a cyber incident report it to CISA. 

Regardless of whether an organization is, or may later be, subject to regulatory cyber incident reporting requirements, reporting cyber incidents to CISA today benefits all of us across government and industry since cyber incidents have the potential to impact the economy, public health, and our national security.  It also helps inform our collective understanding of the national cyber threat landscape. Cyber incident reporting:

• Enables rapid identification of ongoing incidents and increased understanding of successful mitigation measures, thereby increasing the ability of impacted entities and the Federal government to respond to ongoing campaigns faster and mitigate or minimize the consequences that could result from them.
• Facilitates the identification and sharing of information on exploited vulnerabilities and measures that can be taken to address those vulnerabilities, thereby enabling entities with un-remediated and unmitigated vulnerabilities on their systems to take steps to remedy or mitigate those vulnerabilities before they also fall victim.
• Supports CISA’s ability to share information to enable non-Federal and Federal partners to detect and counter sophisticated cyber campaigns earlier, with the potential to avoid or minimize negative impacts to critical infrastructure or national security, thereby reducing the risks associated with those campaigns. 
• Contributes to a more accurate and comprehensive understanding of the cyber threat environment, allowing CISA’s Federal and non-Federal stakeholders to more efficiently and effectively allocate resources to prevent, deter, defend against, respond to, and mitigate significant cyber threats.
• Supports sharing of information about common threat actor tactics, techniques, and procedures with the information technology community, enabling software developers and vendors to develop more secure products or send out updates to add security to existing products, better protecting end users.
• Allows law enforcement entities to use reported information to investigate, identify, and prosecute perpetrators of cybercrime, getting malicious cyber actors off the street and deterring future actors. 
• Enhances CISA’s ability to identify trends and track cyber threat activity across the cyber threat landscape beyond the Federal agencies that are required to report information to CISA.

Our lives and our work have become increasingly digitized. Web-enabled services and inter-connected devices offer significant efficiencies but also increase exposure to cyber actors seeking to exploit vulnerabilities. Today, nation-state backed cyber actors, cyber criminals, and other threat actors have much wider opportunities to sneak into networks and steal or ransom sensitive information and critical data, position themselves to disrupt service at a time of their choosing, and otherwise wreak havoc.  Compounding the risk is rapidly advancing technology like artificial intelligence, which can make it faster and easier for adversaries to conduct cyber incidents.

Ready to Voluntarily Report a Cyber Incident? 

CISA’s reporting form is designed to help CISA understand what is happening in the cyber threat landscape. Before you click the Report button, these types of information will be helpful to have on hand:

• Identity of the impacted entity
• Contact information for the impacted entity
• Description of the incident, including information such as:
  • A description of the vulnerabilities exploited
  • Explanation of the tactics, techniques, and procedures leveraged by the adversary
  • A description on how the incident was discovered
  • Details on the impact to your organization
  • Details on the impact to the services or goods your organization provides to others
  • Details on any impact to life and safety
• Technical indicators and artifacts associated with the incident such as:
  • Indicators of compromise (ex: malware hashes, IP addresses, domain names, URLs, email addresses, phishing emails or other messages), which can be submitted with your incident report
  • Malware or files suspected of containing or being malware, which can be submitted via the “Report Malware” [fill in whatever word is added to toolkit] within the CISA Services Portal
• Steps taken to mitigate and/or respond to the incident, including an assessment of the effectiveness of such actions

CISA encourages organizations to submit a report immediately with information that is available and understood at the time, and then to return to your incident report as you have new information to provide updates.