After years in the making, the Department of Homeland Security (DHS) on Wednesday released a final National Cyber Incident Response Plan (NCIRP) that further lays out roles and responsibilities, and capabilities for how the nation responds to and recovers from significant cyber security incidents that threat critical infrastructure.

While the first draft of the plan was presented in 2009 and began the interagency review process, the NCIRP was finalized after President Barack Obama last July directed a review and update of the plan. The final NCIRP builds on Presidential Policy Directive-41, which Obama issued last July and specifies how the federal government will respond to significant cyber security incidents against government and private sector networks (Defense Daily, July 26, 2016).iStock Cyber Lock

According to PPD-41, DHS, through its National Cybersecurity and Communications Integration Center, has the lead for asset response activities such as mitigation response, identifying entities that might be at risk, and providing technical assistance and risk assessments.

The Justice Department, through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force, is the lead federal agency for threat response activities that require law enforcement and national security investigation at an affected entity’s site, the directive says. The Office of the Director of National Intelligence (ODNI) is responsible for providing intelligence support for situational awareness and intelligence sharing.

The NCIRP “expounds” on PPD-41 regarding the “concurrent lines of effort” attached to DHS, the Justice Department, the ODNI and the affected entity, says the 66-page plan, which is dated Dec. 2016.

“The NCIRP builds upon these lines of effort to illustrate a national commitment to strengthening the security and resilience of networked technologies and infrastructure,” the plan says. “This Plan outlines the structure and content from which stakeholders can leverage to inform their development of agency-, sector-, and organization-specific operational plans.”

The plan provides a strategic framework for operational coordination among the relevant federal departments and agencies as well as state, local, territorial and tribal governments. The document points out that it “is not a tactical or operational plan.”

For example, under the section defining threat response activities—for which the Justice Department has the lead—the plan broadly outlines the roles and responsibilities of various stakeholders. In addition to the DoJ, DHS agencies also have roles here including the Secret Service and Immigration and Customs Enforcement Homeland Security Investigations.

The plan also outlines more than a dozen core capabilities and related critical tasks. Some of the core capabilities include access control and identity verification, cybersecurity, forensics and attribution, intelligence and information sharing, and interdiction and disruption.

“The National Cyber Incident Response Plan is based on the guiding principles of PPD 41 and does three critical things, Homeland Security Secretary Jeh Johnson said in a statement. “First, it defines the roles and responsibilities of federal, state, local, territorial and tribal entities, the private sector, and international stakeholders during a cyber incident. Second, it identifies the capabilities required to respond to a significant cyber incident. And third, it describes the way the federal government will coordinate its activities with those affected by a cyber incident.”

Obama issued PPD-41 to build on lessons learned from major cyber hacks in the United States, including one against the entertainment business of Sony [SNE] and the breach of personnel records at the Office of Personnel Management. The NCIRP incorporates lesson from these and other incidents as well as exercises. The plan is considered a living document, meaning it will be subject to future revisions. 

When there is a cyber incident, the federal government will coordinate a response through a Cyber Unified Coordinating Group, also called a Cyber UCG. Private sector participation in a Cyber UCG is voluntary. When an incident affects a private entity, the government won’t “play a role in this line of effort, but it will remain cognizant of the affected entity’s response activities,” DHS says.