Category |
Name |
Description |
Reporting Timeframe |
CAT 0 |
Exercise/Network Defense Testing |
This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses. |
Not Applicable; this category is for each agency's internal use during exercises. |
CAT 1 |
*Unauthorized Access |
In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource |
Within one (1) hour of discovery/detection. |
CAT 2 |
*Denial of Service (DoS) |
An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. |
Within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity. |
CAT 3 |
*Malicious Code |
Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software. |
Daily
Note: Within one (1) hour of discovery/detection if widespread across agency. |
CAT 4 |
*Improper Usage |
A person violates acceptable computing use policies. |
Weekly |
CAT 5 |
Scans/Probes/Attempted Access |
This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. |
Monthly
Note: If system is classified, report within one (1) hour of discovery. |
CAT 6 |
Investigation |
Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review. |
Not Applicable; this category is for each agency's use to categorize a potential incident that is currently being investigated. |