CISA IRS

To Whom It May Concern:

Pursuant to the Freedom of Information Act, I hereby request the following records:

The CISA Incident Reporting System provides a secure web-enabled means of reporting computer security incidents to CISA ( OMB Control No.: 1670-0037 - https://us-cert.cisa.gov/forms/report). This system assists analysts in providing timely handling of security incidents as well as the ability to conduct improved analysis. I am requesting the records for every incident submitted to CISA through their Incident Reporting System submitted from January 1, 2016 until today’s date. These records should include but are not limited to an Incident ID, Incident Description, Date, Organizational Details ( including but not limited to a Name of Org ),

Along with the above incident reports, I also am requesting any malware artifacts submitted to the Department of Homeland Security under the "US-CERT AMAC Malware Analysis Submissions" form ( https://www.malware.us-cert.gov/ ). These records should include any file submissions as well as the aforementioned form fields.

If possible, I would prefer that these records be provided in a machine-readable format such as a PDF, CSV or Excel file, and transferred electronically. If you cannot transfer the requested records electronically to my email, then please send them on a CD-ROM.

I am a data reporter for The Center for Investigative Reporting (“CIR”), the oldest non-profit investigative newsroom in the country. As a reporter, I am properly categorized as a news media requester for fee purposes. Additionally, because this request is being made for a journalistic (rather than commercial) purpose, I further ask that you waive any fees for provision of the records. In support of my request for a fee waiver, pursuant to 5 U.S.C. § 552(a)(4)(iii) and 28 C.F.R. § 16.10(k)(2), I submit that disclosure of the requested information is both in the public interest and not primarily in my commercial interests.

The requested documents will be made available to the general public, and this request is not being made for commercial purposes.

In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.

Thank you in advance for your anticipated cooperation in this matter. I look forward to receiving your response to this request within 20 business days, as the statute requires.

Sincerely,

Dhruv Mehrotra

Hello,

Thanks for the response as well as taking some time to talk through this request over the phone. As discussed, the documents I am looking for appear to be sufficiently described insofar as they are incident reports from CISA's Incident Reporting System as well as Malware Artifacts from The Malware Analysis Submissions form. I'd be happy to limit the search to fewer years / by keyword, however given the specific nature of these documents its difficult for me to give your agency keywords without a better understanding of the responsive documents. Could the agency start by providing a list or index of responsive documents perhaps with just the incident description as well as the incident ID for the last two years. I believe this will give me a sense of what keywords I should include to limit the scope of the initial request. If possible I'd also appreciate the most recent 5 file submissions under the "US-CERT AMAC Malware Analysis Submissions", so I can similarly evaluate them for keywords.

Thanks for working with me on this, and I'll call back in a few days to talk this through.

Hello on September 28, a day after that prior response, I spoke to the agency over the phone and the agency agreed to provide a list or index of responsive documents perhaps with just the incident description as well as the incident ID for the last two years and the most recent 5 file submissions under the "US-CERT AMAC Malware Analysis Submissions", so I can similarly evaluate them for keywords.

I am attaching that correspondence here. I’d love to get this settled soon:

Thanks for the response as well as taking some time to talk through this request over the phone. As discussed, the documents I am looking for appear to be sufficiently described insofar as they are incident reports from CISA's Incident Reporting System as well as Malware Artifacts from The Malware Analysis Submissions form. I'd be happy to limit the search to fewer years / by keyword, however given the specific nature of these documents its difficult for me to give your agency keywords without a better understanding of the responsive documents. Could the agency start by providing a list or index of responsive documents perhaps with just the incident description as well as the incident ID for the last two years. I believe this will give me a sense of what keywords I should include to limit the scope of the initial request. If possible I'd also appreciate the most recent 5 file submissions under the "US-CERT AMAC Malware Analysis Submissions", so I can similarly evaluate them for keywords.

Thanks for working with me on this, and I'll call back in a few days to talk this through.