The Cybersecurity and Infrastructure Security Agency (CISA) published a draft update to the National Cyber Incident Response Plan (NCIRP) and is seeking public input. This update, the first since the plan’s original release in 2016, reflects changes in federal policies and cyber operations.
The NCIRP provides a framework for coordinating responses to significant cyber incidents across federal, state, local, tribal, and territorial (SLTT) governments, private sector entities, and international partners. It focuses on four areas of effort: Asset Response, Threat Response, Intelligence Support, and Affected Entity Response.
The draft update is now available for public review and comment through the Federal Register (CISA-2024-0037).
Key Changes in the Draft Update
CISA, working with the Joint Cyber Defense Collaborative (JCDC) and the Office of the National Cyber Director (ONCD), has made several adjustments to the NCIRP. These include:
- Clearer pathways for non-federal stakeholders to participate in cyber incident coordination.
- Streamlined content for easier usability and alignment with operational processes.
- Updated legal and policy information to reflect changes since 2016.
- An established schedule for periodic updates.
The NCIRP draft does not provide step-by-step instructions. Instead, it offers a flexible structure that can be adapted to the incident when it becomes known. It also emphasizes coordination between public and private sectors to respond to cyber threats effectively.
Public Input and Review Period
CISA has invited public and private sector stakeholders to provide comments on the draft of the CISA Cyber Incident Response Plan. Unsurprisingly, feedback is intended to address gaps, clarify roles, and enhance the framework’s usability.
Director Jen Easterly highlighted the importance of input from non-governmental stakeholders. She noted that broader participation is necessary to ensure effective incident responses. “This draft NCIRP Update leverages the lessons learned over the past several years to achieve a deeper unity of effort between the government and the private sector. We encourage public comment and feedback to help us ensure its maximum effectiveness,” said Easterly.
National Coordination Structures
The NCIRP outlines how federal agencies will coordinate with each other and with SLTT governments, private entities, and other stakeholders. Key federal roles include:
- CISA: Leads efforts to assist affected organizations in protecting their assets and reducing incident impacts.
- Department of Justice and FBI: Conduct law enforcement investigations, attribute attacks, and work to disrupt threat actors.
- Office of the Director of National Intelligence: Provides intelligence assessments and integrates findings into incident response efforts.
Future Revisions and Incident Management
The draft emphasizes a need for ongoing revisions given the evolving threat landscape. On this there should be no debate. Secuirty is a perishable state, this is absoultly the case with regaerd to cybersecurity. CISA has committed to a regular update cycle and intends to incorporate lessons from recent cyber incidents. Additionally, the NCIRP integrates broader federal response frameworks, including those managed by the Federal Emergency Management Agency (FEMA), to address consequences beyond the cyber domain.
Stakeholders are encouraged to align their internal response processes with the NCIRP to streamline coordination during incidents. The draft also identifies key decision points and activities that agencies and partners should consider throughout the lifecycle of a cyber incident, from detection and containment to post-incident review.
Other News: SecurityScorecard Signs CISA’s Secure by Design Pledge(Opens in a new browser tab)
