US Unveils New National Cyber Incident Response Plan – Source: www.infosecurity-magazine.com

The US government has published a new draft National Cyber Incident Response Plan (NCIRP), setting out the roles and responsibilities for public and private sector organizations during cyber incidents.

The Cybersecurity and Infrastructure Security Agency (CISA) is inviting feedback on the draft, with the public comment period concluding on January 15, 2025.

The draft publication follows an update to the 2016 NCIRP, which was called for in the White House’s 2023 National Cybersecurity Strategy and previously set out in the Presidential Policy Directive 41 (PPD-41) in May 2021.

This update responds to changes in the cyber threat landscape, federal law and policy and new organizational capabilities, CISA said.

The agency emphasized that the NCIRP is not a step-by-step instruction manual on how to conduct a response effort, but rather provides a flexible structure that enables businesses to understand how federal, state and local government will partner with them after being hit by a cyber-attack.

The NCIRP relates to a cyber incident that has a severity at or above Level 2 of the Cyber Incident Severity Schema. This means an incident that may impact public health or safety, national security, economic security, foreign relations, civil liberties or public confidence.

How Government Will Support Incident Response

The proposed draft describes four lines of effort across the cyber incident response lifecycle, each of which include coordination mechanisms, key decision points and priority activities.

These lines of efforts cover two main response phases – detection and response.

• Asset Response. This relates to how government agencies can provide technical assistance to affected entities to protect their assets, mitigate vulnerabilities and reduce impacts of cyber incidents. This process also involves assessing potential cascading effects to the sector or region and developing strategies to mitigate these risks. CISA is the lead agency for these efforts.
• Threat Response. These activities involve conducting appropriate law enforcement and national security investigative activity at the affected entity’s site, such as collecting evidence and gathering intelligence. Additionally, this work involves identifying additional affected entities and identifying threat pursuit and disruption opportunities. The Department of Justice and FBI are among the primary law enforcement entities that develop and implement threat response.
• Intelligence Response. Activity in this space focuses on building situational threat awareness and sharing related intelligence, including threat trends and events and how to degrade or mitigate adversary threat capabilities. The Office of the Director of National Intelligence will lead coordinated intelligence support in response to a cyber incident.
• Affected Entity Response. This relates to the management of the impact of a cyber incident, including maintaining operational continuity, addressing adverse financial impacts and complying legal and regulatory requirements. When a cyber incident affects a private entity, the federal government typically will not play a role in this line of effort but it will remain cognizant of the affected entity’s response activities. For attacks on the federal government, the affected agency will be responsible for leading and resourcing its own cyber incident response in coordination with CISA.

CISA wrote: “Comprehensive national preparedness for cyber incidents requires additional planning to address more specific issues and stakeholder communities than the NCIRP alone can provide. CISA will develop and support additional planning documents to meet these needs. CISA plans to implement a regular cycle of revisions to fulfill its statutory responsibility to update, maintain and exercise the NCIRP.”