CISA Seeking Public Comment on Updated National Cyber Incident Response Plan

The US cybersecurity agency CISA has released a draft version of its updated National Cyber Incident Response Plan (NCIRP) for public comment.

Originally published in 2016, the NCIRP is meant as a framework on how federal, private, state, local, tribal, and territorial (SLTT), and international organizations address cyber incidents that have a higher severity, and which could cause disruptions to critical infrastructure or equipment damage.

The plan describes the efforts, mechanisms, involved parties, and decisions and activities that the US government will use to coordinate response to cyber incidents and is meant to promote national unity of effort in detection and response.

The NCIRP (PDF) defines cyber incidents as events over a network that involve exploitable vulnerabilities, security procedures, internal controls, or implementations, and which could impact computers, communication systems or networks, physical infrastructure, or information.

It said events “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people” are considered significant cyber incidents.

The NCIRP “provides a flexible framework that responders can use to coordinate their efforts to maximize effectiveness. While voluntary for all stakeholders outside the federal government, CISA encourages private sector, SLTT government, and all other non-federal stakeholders to review the NCIRP to understand how the U.S. government will partner with them in cyber incident response,” CISA notes.

The plan outlines four areas of effort — Asset Response, Threat Response, Intelligence Support, and Affected Entity Response — and identifies coordinating structures that stakeholders may use when cyber incidents require cross-sector, public-private, or federal coordination.

The document also distinguishes between the detection phase, which includes monitoring, analysis, and detection to determine whether an incident can be considered a significant cyber incident, and the response phase, which includes activities meant to contain, eradicate, and recover from an incident.

Advertisement. Scroll to continue reading.

Industrial Cybersecurity Webinar

“Comprehensive national preparedness for cyber incidents requires additional planning to address more specific issues and stakeholder communities than the NCIRP alone can provide. The Cybersecurity and Infrastructure Security Agency (CISA) will develop and support additional planning documents to meet these needs,” the plan reads.

The draft update, CISA says, considers not only the evolution of the cyber threat landscape, but also lessons learned from historical incidents, and addresses the role that each involved stakeholder holds in responding to an incident.

“CISA is seeking more perspectives to help strengthen the NCIRP and invites stakeholders from across the public and private sectors to share their knowledge and experiences, further informing our findings and contributing to this revision,” the cybersecurity agency notes.

CISA opened the public comment on the draft NCIRP update on Monday and will accept feedback until January 15, 2025. Interested parties can provide comments via the Federal Register.

Leave a Reply

Your email address will not be published. Required fields are marked *