U.S. Cyber Incident Coordination

By Joey Hoellerer on August 9, 2016 | |
Security Industry Association (SIA)

On July 26, President Barack Obama issued Presidential Policy Directive (PPD) 41, titled U.S. Cyber Incident Coordination. PPD-41 formally outlines the federal government’s jurisdiction, role and responsibilities in responding to malicious cyberincidents directed toward the government or private sector entities.

PPD-41 differentiates “regular” cyberincidents from “significant” cyberincidents—with significant incidents consisting of demonstrable harm to national security interest, public health, civil liberties, foreign relations or economy of the United States.

Furthermore, PPD-41 entrusts the FBI, the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence (ODNI) with synchronizing current lines of effort directed toward threat response, asset response and intelligence support. The PPD provides a three-tiered coordination framework for mitigating cyberincidents:

  • National policy level: The Cyber Response Group (CRG), chaired by the National Security Council, will coordinate the development and implementation of U.S. government policy and strategy on significant cyberincidents affecting the United States or its interests abroad.
  • National operational level: The lead agencies—FBI, DHS and ODNI—are directed to regularly participate in the CRG to develop internal coordination procedures. Additionally, each lead agency must create a Unified Coordination Group (UCG) to coordinate response activities in collaboration with private sector entities; state, local, tribal and territorial governments; and relevant sector-specific agencies, ultimately leading cyber-response execution.
  • Field level: The lead agencies are directed to coordinate their interaction with each other, and with the affected entity, along each line of effort.

​Finally, in an effort to build upon PPD-41, DHS is formulating the National Cyber Incident Response Plan (NCIRP). The Plan will formalize the incident response practices and further clarify organizational roles, responsibilities and actions to prepare for, respond to and coordinate the recovery from a significant cyberincident. NCIRP’s initial drafting commenced in June 2016, and DHS expects to release the first draft by September 2016. It will be subject to a public comment and input from the private sector.