Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems
The Cybersecurity and Infrastructure Security Agency (CISA) is committed to leading the response to cybersecurity incidents and vulnerabilities to safeguard the nation’s critical assets. Section 6 of Executive Order 14028 directed DHS, via CISA, to “develop a standard set of operational procedures (playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity respecting Federal Civilian Executive Branch (FCEB) Information Systems.” 1
This document presents two playbooks: one for incident response and one for vulnerability response. These playbooks provide FCEB agencies with a standard set of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting FCEB systems, data, and networks. In addition, future iterations of these playbooks may be useful for organizations outside of the FCEB to standardize incident response practices. Working together across all federal government organizations has proven to be an effective model for addressing vulnerabilities and incidents. Building on lessons learned from previous incidents and incorporating industry best practices, CISA intends for these playbooks to evolve the federal government’s practices for cybersecurity response through standardizing shared practices that bring together the best people and processes to drive coordinated actions.
The standardized processes and procedures described in these playbooks:
• Facilitate better coordination and effective response among affected organizations,
• Enable tracking of cross-organizational successful actions,
• Allow for cataloging of incidents to better manage future events, and
• Guide analysis and discovery.
Agencies should use these playbooks to help shape overall defensive cyber operations to ensure consistent and effective response and coordinated communication of response activities
These playbooks are for FCEB entities to focus on criteria for response and thresholds for coordination and reporting. They include communications between FCEB entities and CISA; the connective coordination between incident and vulnerability response activities; and common definitions for key cybersecurity terms and aspects of the response process. Response activities in scope of this playbook include those:
• Initiated by an FCEB agency (e.g., a local detection of malicious activity or discovery of a vulnerability)
• Initiated by CISA (e.g., a CISA alert or directive) or other third parties, including law enforcement, intelligence agencies, or commercial organizations, contractors, and service providers
The Incident Response Playbook applies to incidents that involve confirmed malicious cyber activity and for which a major incident (as defined by the Office of Management and Budget [OMB] in
Memorandum M-20-042 or successor memorandum) has been declared or not yet been reasonably ruled out. The Vulnerability Response Playbook applies to vulnerabilities being actively exploited in the wild. As required by EO 14028, the Director of OMB will issue guidance on FCEB agency use of these playbooks.
Note: these playbooks do not cover response activities that involve threats to classified information or National Security Systems (NSS) as defined by 44 U.S.C.3552(b)(6). See CNSSI10103 for coordination/reporting guidance for incidents specific to NSS or systems that process classified information.
These playbooks apply to all FCEB agencies, information systems used or operated by an agency, a contractor of an agency, or another organization on behalf of an agency. It is the policy of the federal government that information and communications technology (ICT) service providers who have contracted with FCEB agencies must promptly report incidents to such agencies and to CISA.4