There is now an updated plan for the government’s approach to dealing with cyber incidents involving public or private sector entities.
The Department of Homeland Security (DHS) started working on the National Cyber Incident Response Plan (NCIRP) shortly after President Barack Obama released the Presidential Policy Directive on Cyber Incident Coordination (PPD-41) in July last year. After making available a draft in September, DHS released the final version.
The NCIRP has three main goals: Define the responsibilities and roles of government agencies, the private sector and international stakeholders; identify the capabilities required to respond to a significant incident; and describe how the government will coordinate its activities with the affected entity.
“The National Cyber Incident Response Plan is not a tactical or operational plan for responding to cyber incidents,” said Homeland Security Secretary Jeh Johnson. “However, it serves as the primary strategic framework for stakeholders when developing agency, sector, and organization-specific operational and coordination plans. This common doctrine will foster unity of effort for emergency operations planning and will help those affected by cyber incidents understand how Federal departments and agencies and other national-level partners provide resources to support mitigation and recovery efforts.”
The NCIRP focuses on four main lines of effort: Threat response, asset response, intelligence support, and affected entity response.
The lead federal agency for threat response is the Department of Justice through the FBI and the National Cyber Investigative Joint Task Force (NCIJTF). Threat response includes mitigating the immediate threat, investigative activity at the affected organization’s site, collecting evidence and intelligence, attribution, finding links between incidents and identifying other affected entities, and finding opportunities for threat pursuit and disruption.
Asset response is handled by the DHS through the National Cybersecurity and Communications Integration Center (NCCIC). Activities in this line of effort include providing technical assistance to help affected entities protect their assets, reducing the impact of the incident, mitigating vulnerabilities, identifying other entities that may be at risk, and assessing potential risks to the affected sector or region.
Threat and asset response teams have some shared responsibilities, including the facilitation of information sharing and operational coordination, and providing guidance on the use of federal resources and capabilities.
The lead agency for intelligence support is the Office of the Director of National Intelligence (ODNI) through the Cyber Threat Intelligence Integration Center (CTIIC). The agency is tasked with providing support to asset and threat response teams, analyzing trends and events, identifying knowledge gaps, and mitigating the adversary’s capabilities.