CISA Releases Draft of National Cyber Incident Response Plan

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a draft version of the National Cyber Incident Response Plan (NCIRP), outlining how public- and private-sector organizations should handle significant cyber incidents. The public comment period ends Jan. 15, 2025.

The plan outlines the roles that private, state, local, and tribal governments and federal agencies should play in responding to incidents. It also describes how they should work together on integrated responses. The guidance was formulated after an analysis of real-world incidents, training exercises, and updates to statute and policy, CISA said. 

NCIRP defines cyber incidents as events over a network that involve exploitable vulnerabilities, security procedures, internal controls, or implementations that impact computers, communication systems or networks, physical infrastructure, or information. Significant cyber incidents refer to events that result in "demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people."

The draft updates the original version published in 2016. The White House's 2023 National Cybersecurity Strategy pushed to update the plan since the cybersecurity landscape and national response ecosystem have "changed dramatically."

The NCIRP is not intended to be a step-by-step instruction manual for incident response but rather a structure that "responders can use to shape their efforts and maximize both efficiency and coordination," CISA said.

The four lines of effort outlined in the NCIRP are asset response, threat response, intelligence support, and affected entity response. It also incorporates coordination mechanisms and key decision point, and offers guidance on prioritization. It outlines both a "detection" phase of an incident, which encompasses monitoring, analysis and detection, and a "response" phase on how to contain, eradicate, and recover from incidents. 

"While voluntary for all stakeholders outside the federal government, CISA encourages private sector, SLTT government, and all other non-federal stakeholders to review the NCIRP to understand how the U.S. government will partner with them in cyber incident response," CISA said.