CISA pitches updated cyber incident response plan as an ‘agile, actionable’ framework

The Cybersecurity and Infrastructure Security Agency on Monday opened a month-long public comment period for its updated draft plan detailing how the public and private sectors should respond to significant cyber incidents.

The revamped National Cyber Incident Response Plan — an effort from CISA, the agency’s Joint Cyber Defense Collaborative and the Office of the National Cyber Director — builds on 2016’s Presidential Policy Directive-41, a pre-CISA document that provided a framework for how the federal government, private sector, international partners and state, local, tribal and territorial (SLTT) governments collectively respond to cyber incidents.

The updated NCIRP, which was called for in the Biden administration’s 2023 national cybersecurity strategy, was compiled after years of “broad and extensive engagement” CISA said it had with Sector Risk Management Agencies, regulators, interagency partners and public- and private-sector partners, according to a release from the agency. The draft document, CISA noted, “considers the evolution in the cyber threat landscape and lessons learned from historical incidents.”

In a briefing with reporters Monday, Jeff Greene, CISA’s executive assistant director for cybersecurity, said more than 150 cyber experts from 66 organizations were consulted in the making of the draft document, many of whom work with the JCDC. The agency also hosted three public listening sessions as part of its work on the plan.

The result of extensive work with government and industry partners, Greene said, is “what we hope is an agile, actionable, updated framework that will provide coherent coordination that matches the pace of our adversaries and the predictable method for how to engage with us.”

The document lays out an organizational structure for national cyber incident response, carving out four lines of response (LOEs): asset response, threat response, intelligence support and affected entity response. CISA would lead coordinated efforts for asset response, while ODNI is tapped to manage intelligence support, and federal law enforcement agencies — including the Department of Justice and FBI — are supposed to handle threat response. The affected entity response depends on the impacted agency or entity.

The draft NCIRP also assigns coordinating responsibilities to various federal agencies and offices for specific incidents, breaks down the key activities and decisions as part of the incident detection and response phases, and details recommended post-incident measures. 

Greene said the document is not intended to provide a “blow by blow” for cyber incident response, given that “every incident is going to be different.” But the draft does seek to create a clearly defined path for non-federal stakeholders to have a say in coordinating efforts, Greene said, in addition to “streamlining content and aligning it to the operational life cycle, incorporating relevant legal and policy changes that impact agency roles and responsibilities” and establishing a “predictable life cycle” for future updates.

Giving the private sector a voice in the writing of the NCIRP was “essential from day one,” Greene said, and that input will continue “to be essential going forward.” Industry leaders haven’t been shy about pushing the Biden administration to pare down on duplicative and overly burdensome cyber regulations.

“One of the things that we heard pretty loud and clear was the interest that private-sector companies had in knowing where, when and how they plug in with us in the federal government,” he said, adding that CISA tried to “build some predictability into the process.”

Comments on the updated draft are due by Jan. 15, 2025. 

The post CISA pitches updated cyber incident response plan as an ‘agile, actionable’ framework appeared first on CyberScoop.