The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is taking comments on its draft National Cyber Incident Response Plan (NCIRP), developed alongside the Office of the National Cyber Director (ONCD) and with input from industry, which was published Dec. 16 in the Federal Register.
CISA has been revising the NCIRP since October 2023, as directed in the National Cybersecurity Strategy published by the Biden administration earlier that year. The NCIRP, originally published in 2016, is meant to serve as “the nation’s framework for coordinated response to significant cyber incidents.” However, the changing cyber threat landscape and national response capabilities have undergone significant changes since the original publication — not the least of which is the establishment of CISA and ONCD themselves.
“Today’s increasingly complex threat environment demands that we have a seamless, agile and effective incident response framework,” CISA Director Jen Easterly said in a statement. “This draft NCIRP update leverages the lessons learned over the past several years to achieve a deeper unity of effort between the government and the private sector. We encourage public comment and feedback to help us ensure its maximum effectiveness.”
The goal of the NCIRP was to set out, in broad terms, the structures of the federal government’s response to cyber incidents and its relationship to federal agencies; state, local, tribal and territorial governments; the private sector; and civil society. Entities should not approach it as “a step-by-step instruction manual on how to conduct a response effort,” CISA said, noting that “every incident and every response is different.”
The plan’s authors laid out four lines of effort: asset response, threat response, intelligence support and affected entity response.
Asset response involves helping affected entities protect their assets, mitigate vulnerabilities and reduce the impact of cyber incidents. Threat response means coordinating law enforcement and national security investigations, collecting evidence and facilitating information sharing.
Intelligence support refers to building situational threat awareness, while affected entity response refers to supporting affected entities’ efforts to manage the impact of a cyber incident.
Cyber incident response comes in two main phases, according to CISA: detection and response. Detection involves the discovery, reporting and validation of an incident, as well as assessing whether it qualifies as a significant cyber incident, which 2016’s Presidential Policy Directive 41 defines as a cyber incident or group of incidents that likely will cause harm to U.S. national security or economic interests, foreign relations, or the liberties or public health and safety of the American people.
Detecting events and validating their severity requires “active engagement with service providers, the cybersecurity community, and critical infrastructure owners and operators,” the plan said. The detection phase begins when a cyber incident is identified and involves a series of key decisions including determining the incident’s severity, engaging private sector stakeholders for additional information, and understanding the scope and impact of the incident.
In the response phase, entities act to contain, eradicate and recover from incidents, while assisting law enforcement agencies with their investigations. Key decisions in this phase include determining which non-governmental stakeholders can best contribute to solution development and implementation, identifying shared priorities for response and deciding what additional resources might be needed for effective mitigation.
After a significant cyber incident, the Cyber Response Group in the office of the president must order a review of the response and prepare a report within 30 days. A declaration of a significant incident will terminate 120 days after the declaration or its last renewal. The government’s Cyber Safety Review Board also will review the incident to find areas for improving cyber response practices in the public and private sectors.
Cybersecurity has become a constant concern in recent years as nation-state rivals have sought to gain advantages over the U.S. by threatening the integrity of critical infrastructure including the electric grid. CISA has issued multiple warnings this year about electronic infiltration from actors sponsored by Iran and China, which have used sophisticated techniques called “living off the land” to disguise their intrusions as normal network traffic. (See Agencies Describe a Year of Iran Cyber Attacks.)
Members of the public have until Jan. 15, 2025, to register comments on the NCIRP.