In an effort to prepare for a national cyber emergency, a group of state governors as well as the secretaries of Homeland Security and Defense released a response plan in the event of a crisis.
A bipartisan group of 10 White House-appointed governors published the Joint Action Plan July 15 with principles for coordinating information sharing, operational response and mitigation. The plan was approved during the annual meeting of the National Governors Association last week.
“As governors, we are responsible for ensuring the security of not only a wide array of state-owned assets, but also the private sector assets within our states,” Maryland Gov. Martin O’Malley (D), who co-chairs the council, said in a statement.
The issue is particularly relevant for O’Malley’s home state, which houses the National Security Agency (NSA) and U.S. Cyber Command (CYBERCOM). Former NSA and CYBERCOM chief Gen. Keith Alexander made mobilizing cyber units in the National Guard a top priority, which has been carried on by his successor Adm. Mike Rogers. The governors’ plan mentions the National Guard several times and states that DoD will have the opportunity to update or establish policy for state-use of National Guard cyber resources after all other parties to the plan have reviewed their roles and responsibilities.
While the plan remains high-level in its description of response coordination, it does call for leveraging several existing resources in the federal and state governments beyond the National Guard. The plan requests that states move to “near-real-time reporting and analysis” through DHS’ Continuous Diagnostics and Mitigation (CDM) program. Initially aimed at federal agencies, CDM does allow state and local government to procure network security tools at reduced prices through a blanket purchase agreement with 17 firms.
The plan recognizes DHS as the hub for cyber information sharing and instructs states to build on the “efforts developed in response to EO [Executive Order] 13636 and PPD [Presidential Policy Directive]-21.” The two White House documents released in 2013 resulted in DHS’ voluntary information sharing program with the private sector, called Critical Infrastructure Cyber Community (C3). They also led to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework–a voluntary set of set best practices for the private sector.
In addition to the framework, the plan supports NIST’s National Initiative for Cybersecurity Education (NICE), which sponsors National Cybersecurity Awareness Month and other educational campaigns.
The governors’ plan said it will not conflict with existing policy and programs, including EO 13636 and PPD-21.
The nine other governors on the council with O’Malley are Iowa Gov. Terry Branstad (R), Arizona Gov. Jan Brewer (R), Connecticut Gov. Dannel Malloy (D), Hawaii Gov. Neil Abercrombie (D), Illinois Gov. Pat Quinn (D), Missouri Gov. Jay Nixon (D), Nevada Gov. Brian Sandoval (R), Tennessee Gov. Bill Haslam (R) and Wyoming Gov. Matt Mead (R). In addition to the secretaries of Defense and Homeland Security, the President’s counterterrorism adviser, the commander of U.S. Northern Command and the National Guard Bureau chief participated in writing the plan.