The U.S. Department of Homeland Security has published the National Cyber Incident Response Plan (NCIRP), which aims to describe the government’s approach in dealing with cyber incidents involving public or private sector entities.
The DHS started working on the NCIRP shortly after President Barack Obama released the Presidential Policy Directive on Cyber Incident Coordination (PPD-41) in July last year. After making available a draft in September, the DHS has now announced the release of the final version.
The NCIRP has three main goals: define the responsibilities and roles of government agencies, the private sector and international stakeholders; identify the capabilities required to respond to a significant incident; and describe how the government will coordinate its activities with the affected entity.
“The National Cyber Incident Response Plan is not a tactical or operational plan for responding to cyber incidents,” explained Homeland Security Secretary Jeh Johnson. “However, it serves as the primary strategic framework for stakeholders when developing agency, sector, and organization-specific operational and coordination plans. This common doctrine will foster unity of effort for emergency operations planning and will help those affected by cyber incidents understand how Federal departments and agencies and other national-level partners provide resources to support mitigation and recovery efforts.”
The NCIRP focuses on four main lines of effort: threat response, asset response, intelligence support, and affected entity response.
The lead federal agency for threat response is the Department of Justice through the FBI and the National Cyber Investigative Joint Task Force (NCIJTF). Threat response includes mitigating the immediate threat, investigative activity at the affected organization’s site, collecting evidence and intelligence, attribution, finding links between incidents and identifying other affected entities, and finding opportunities for threat pursuit and disruption.
Asset response is handled by the DHS through the National Cybersecurity and Communications Integration Center (NCCIC). Activities in this line of effort include providing technical assistance to help affected entities protect their assets, reducing the impact of the incident, mitigating vulnerabilities, identifying other entities that may be at risk, and assessing potential risks to the affected sector or region.
Threat and asset response teams have some shared responsibilities, including the facilitation of information sharing and operational coordination, and providing guidance on the use of federal resources and capabilities.
The lead agency for intelligence support is the Office of the Director of National Intelligence (ODNI) through the Cyber Threat Intelligence Integration Center (CTIIC). The agency is tasked with providing support to asset and threat response teams, analyzing trends and events, identifying knowledge gaps, and mitigating the adversary’s capabilities.
If a significant cyber incident involves a federal agency, that agency is responsible for managing the impact of the incident. This can include maintaining business or operational continuity, protecting privacy, addressing adverse financial impact, breach disclosure and notification, and handling media and congressional inquiries.
If the incident affects a private entity, the role of the government is to be aware of that entity’s response activities and assess the potential impact on private sector critical infrastructure.