NIST Issues Cyber Recovery Playbook

Cyberattacks are inevitable, and federal agencies need recovery plans that assume they'll fall victim to virtual threats, according to a new guide.

The National Institute of Standards and Technology has published its "Guide for Cybersecurity Event Recovery," urging agencies to create detailed procedures for recovering from data breaches and how to notify stakeholders.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

"It’s no longer if you are going to have a cybersecurity event, it is when,” NIST computer scientist Murugiah Souppaya said in a statement. The guide, intended for chief information officers, chief information security officers and other tech officials, recommends several steps, including:

• Identifying the key people who can flesh out recovery plans.
• Documenting all virtual assets in a complete inventory. 
• Creating communication plans, potentially involving public relations and human resources personnel, to "manage expectations and information disclosure about the incident and recovery progress."

But before organizations can begin recovery, they need to establish a "[b]asic knowledge of the adversary’s objective," the report recommended. For example, did they take intellectual property, steal customer data or access money? Organizations also need to understand the "technical mechanisms" the adversary used to ensure they're no longer controlling IT resources, NIST added.

"Most targeted attacks that are part of a large campaign involve multiple types of well-concealed persistence mechanisms," according to NIST.

Without understanding these two elements, "the recovery procedure has a high chance of being ineffective or inefficient and the organization will incur additional cost."

Agencies should also poll their stakeholders about recovery plans after they're drafted, NIST suggested.