Administration finalizes cyber response plan

Since 2009, the U.S. government has been operating with an interim National Cyber Incident Response Plan that was based on the technology and governance structures of that time. Now, the country has a new and official NCIRP.

The NCIRP is an extension of Presidential Policy Directive 41 issued in July 2016, which assigns the Department of Justice, the Department of Homeland Security and the Office of the Director of National Intelligence with specific tasks in response to a significant cyber incident.

"The NCIRP provides guidance to enable a coordinated whole-of-Nation approach to response activities and coordination with stakeholders during a significant cyber incident impacting critical infrastructure," states the new plan. "The NCIRP sets common doctrine and a strategic framework for national, sector, and individual organization cyber operational plans."

The NCIRP is not designed as a tactical plan, but as a strategic framework that outlines which stakeholders are responsible for the primary lines of effort in response to an incident: threat response (FBI and the Department of Justice), asset response (the Department of Homeland Security), intelligence support (the Office of the Director of National Intelligence) and affected entity response (the entity itself).

A team of government officials, industry leaders and representatives of the 16 designated critical infrastructure sectors drafted the new plan in 90 days over the course of the summer and fall of 2016. FCW previewed the draft in late September.

Then, it went through a 30-day public comment period that led to a number of refinements to the plan that the president has now signed.

The September draft focused on identifying the capabilities and responsibilities of government and industry actors in response to an incident. The NCIRP focuses heavily on private sector as well as state, local and territorial government entities and what they should be doing to prepare for and respond to cyber attacks.

DHS received nearly 800 comments in response to the draft. While a third of comments focused on grammatical problems with the draft, the rest were more substantive and led to significant revisions in the document, according to a DHS official familiar with the process.

The official said that the revisions of the draft as a whole focused on clarifying the relationship between cyber incident response, core capabilities of stakeholders and the Federal Emergency Management Agency's National Preparedness System.

As a result of the feedback, the order of some sections was changed to clarify the scope, principles, intended audience and relationship to other response systems in the U.S.

One complaint about the initial draft was that descriptions of core capabilities of government and private entities were too dense, and the final plan moved much of that detail to an annex.

Another new annex explains how the NCIRP aligns with PPD-41 and the NIST cybersecurity framework.

The final version also created a "crosswalk" to better align the cyber incident schema with the schema used by the Federal Emergency Management Agency.

"The schema establishes a common framework to evaluate and assess cyber incidents to ensure that all departments and agencies have a common view of the: Severity of a given incident; Urgency required for responding to a given incident; Seniority level necessary for coordinating response efforts; and Level of investment required for response efforts."

Revisions also focused on trying to help entities that are not inside the Beltway understand the cyber resources available to them and help them better draft and implement their own cyber incident response plans. The final version contains a template for organizations to use to tie their own plans back to the NCIRP.

The new plan also goes into greater detail than the interim NCIRP or PPD-41 about the roles and responsibilities for state and local entities -- in terms of what the federal government expects of them, and what they can expect in terms of federal support and resources.

The DHS official said that there were limits to how specific the plan could be without becoming overly proscriptive and too long, but officials tried to incorporate and de-conflict as many of the comments as possible.

While the plan has an "in case of emergency, break glass" element to it, the official said many elements of the plan apply on a daily basis and are not simply designed for a "cyber Pearl Harbor."

The schema will be active as agencies evaluate future cyber incidents, and the NCIRP will guide future training and coordination efforts as agencies work to internalize the functions outlined in the plan.

The official said that aspects of the NCIRP will be worked into the planning of the next Cyber Storm training exercise slated for this year.