The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Capacity Enhancement Guide (CEG) to support Federal Civilian Executive Branch (FCEB) agencies in making risk-informed decisions about the procurement and use of Distributed Denial of Service (DDoS) mitigations to address
large-scale volumetric attacks against web services. Section 1 of this guide provides agencies with guidance to prioritize DDoS mitigations based on mission and reputational impact. Section 2 provides detailed descriptions of various DDoS mitigation services to assist agencies as they make risk-informed tradeoff decisions on how to use available resources most effectively. Although this guidance is created and intended for use by FCEB agencies, all organizations are encouraged to review and adopt these recommendations to reduce the risk of volumetric DDoS attacks.
AUDIENCE & SCOPE
CEGs support CISA’s role to reduce the risk to the nation’s cyber and physical infrastructure by sharing high-priority recommendations, best practices, and operational insights in response to systemic threats, vulnerabilities, and risks. This guide is designed to assist FCEB agencies in evaluating and mitigating the risk of volumetric DDoS attacks against their websites and related web services, including by informing investment decisions by agency leadership. These attacks target specific websites with the goal of exhausting the target system’s resources, rendering the target unreachable or inaccessible, and denying users access to the service.
This guide addresses just one type of DDoS attack and should not be considered comprehensive to
protect against all types of DDoS attacks.
SECTION 1: IMPACT ANALYSIS
This section provides guidance for agencies to assess the impact to their organization of a successful DDoS attack against various web services.
Agencies can use this guide to document risk decisions made in alignment with the National Institute of
Standards and Technology (NIST) Risk Management Framework (RMF). For example, agencies can choose to reference this approach when conducting risk assessments on DDoS enterprise risks and when validating whether chosen DDoS-related security controls sufficiently address the risks to organizational operations and assets, individuals, other organizations, and the nation that prompted selection of these controls. This impact analysis is provided as an example of the analysis agencies should be conducting in support of their risk management responsibilities as prescribed by the Federal Information Security Modernization Act. Agencies’