Donate for the Cryptome archive of files from June 1996 to the present


26 July 2016

Presidential Policy Directive PPD-41 on United States Cyber Incident Coordination


https://www.whitehouse.gov/the-press-office/2016/07/26/fact-sheet-presidential-policy-directive-united-states-cyber-incident-0

July 26, 2016

FACT SHEET: Presidential Policy Directive on United States Cyber Incident Coordination

The new directive spells out how the Federal government will coordinate its incident response activities in the event of a large-scale cyber incident

Today, the President approved a Presidential Policy Directive (PPD) on United States Cyber Incident Coordination.  This new PPD marks a major milestone in codifying the policy that governs the Federal government’s response to significant cyber incidents. 

Since the beginning of his Administration, President Obama has emphasized that malicious cyber activity poses a serious threat to the national and economic security of the United States.  As set forth in the Cybersecurity National Action Plan, over the last seven and a half years the Administration’s cyber policy has been based on three strategic pillars:  raising the level of cybersecurity in our public, private, and consumer sectors, in both the short and the long-term; taking steps to deter, disrupt, and interfere with malicious cyber activity aimed at the United States or its allies; and responding effectively to and recovering from cyber incidents. 

 

Even as we have made progress on all three pillars, the United States has been faced with managing increasingly significant cyber incidents affecting both the private sector and Federal government.  We have applied the lessons learned from these events, as well as our experience in other areas such as counterterrorism and disaster response. That experience has allowed us to hone our approach but also demonstrated that significant cyber incidents demand a more coordinated, integrated, and structured response.  We have also heard from the private sector the need to provide clarity and guidance about the Federal government’s roles and responsibilities.   The PPD builds on these lessons and institutionalizes our cyber incident coordination efforts in numerous respects, including:

  • Establishing clear principles that will govern the Federal government’s activities in cyber incident response;
  • Differentiating between significant cyber incidents and steady-state incidents and applying the PPD’s guidance primarily to significant incidents;
  • Categorizing the government’s activities into specific lines of effort and designating a lead agency for each line of effort in the event of a significant cyber incident;
  • Creating mechanisms to coordinate the Federal government’s response to significant cyber incidents, including a Cyber Unified Coordination Group similar in concept to what is used for incidents with physical effects, and enhanced coordination procedures within individual agencies;
  • Applying these policies and procedures to incidents where a Federal department or agency is the victim; and,
  • Ensuring that our cyber response activities are consistent and integrated with broader national preparedness and incident response policies, such as those implemented through Presidential Policy Directive 8-National Preparedness, so that our response to a cyber incident can seamlessly integrate with actions taken to address physical consequences caused by malicious cyber activity.

 

We also are releasing today a cyber incident severity schema that establishes a common framework within the Federal government for evaluating and assessing the severity of cyber incidents and will help identify significant cyber incidents to which the PPD’s coordination procedures would apply.

 

Incident Response Principles

The PPD outlines five principles that will guide the Federal government during any cyber incident response:

  • Shared Responsibility – Individuals, the private sector, and government agencies have a shared vital interest and complementary roles and responsibilities in protecting the Nation from malicious cyber activity and managing cyber incidents and their consequences.
  • Risk-Based Response – The Federal government will determine its response actions and  resource needs based on an assessment of the risks posed to an entity, national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.
  • Respecting Affected Entities – Federal government responders will safeguard details of the incident, as well as privacy and civil liberties, and sensitive private sector information.
  • Unity of Effort – Whichever Federal agency first becomes aware of a cyber incident will rapidly notify other relevant Federal agencies in order to facilitate a unified Federal response and ensure that the right combination of agencies responds to a particular incident.
  • Enabling Restoration and Recovery – Federal response activities will be conducted in a manner to facilitate restoration and recovery of an entity that has experienced a cyber incident, balancing investigative and national security requirements with the need to return to normal operations as quickly as possible.

 

Significant Cyber Incidents

While the Federal government will adhere to the five principles in responding to any cyber incident, the PPD’s policies and procedures are aimed at a particular class of cyber incident: significant cyber incidents.  A significant cyber incident is one that either singularly or as part of a group of related incidents is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. 

When a cyber incident occurs, determining its potential severity is critical to ensuring the incident receives the appropriate level of attention.  No two incidents are the same and, particularly at the initial stages, important information, including the nature of the perpetrator, may be unknown.  

Therefore, as part of the process of developing the incident response policy, the Administration also developed a common schema for describing the severity of cyber incidents, which can include credible reporting of a cyber threat, observed malicious cyber activity, or both.  The schema establishes a common framework for evaluating and assessing cyber incidents to ensure that all Federal departments and agencies have a common view of the severity of a given incident, the consequent urgency of response efforts, and the need for escalation to senior levels.

The schema describes a cyber incident’s severity from a national perspective, defining six levels, zero through five, in ascending order of severity.  Each level describes the incident’s potential to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.  An incident that ranks at a level 3 or above on this schema is considered “significant” and will trigger application of the PPD’s coordination mechanisms. 

 

Lines of Effort and Lead Agencies

To establish accountability and enhance clarity, the PPD organizes Federal response activities into three lines of effort and establishes a Federal lead agency for each: 

  • Threat response activities include the law enforcement and national security investigation of a cyber incident, including collecting evidence, linking related incidents, gathering intelligence, identifying opportunities for threat pursuit and disruption, and providing attribution.   The Department of Justice, acting through the Federal Bureau of Investigation (FBI) and the National Cyber Investigative Joint Task Force (NCIJTF), will be the Federal lead agency for threat response activities.
  • Asset response activities include providing technical assets and assistance to mitigate vulnerabilities and reducing the impact of the incident, identifying and assessing the risk posed to other entities and mitigating those risks, and providing guidance on how to leverage Federal resources and capabilities.   The Department of Homeland Security (DHS), acting through the National Cybersecurity and Communications Integration Center (NCCIC), will be the Federal lead agency for asset response activities.  The PPD directs DHS to coordinate closely with the relevant Sector-Specific Agency, which will depend on what kind of organization is affected by the incident. 
  • Intelligence Support and related activities include intelligence collection in support of investigative activities, and integrated analysis of threat trends and events to build situational awareness and to identify knowledge gaps, as well as the ability to degrade or mitigate adversary threat capabilities.  The Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, will be the Federal lead agency for intelligence support and related activities.

In addition to these lines of effort, a victim will undertake a wide variety of response activities in order to maintain business or operational continuity in the event of a cyber incident.  We recognize that for the victim, these activities may well be the most important.  Such efforts can include communications with customers and the workforce; engagement with stakeholders, regulators, or oversight bodies; and recovery and reconstitution efforts.   When a Federal agency is a victim of a significant cyber incident, that agency will be the lead for this fourth line of effort.  In the case of a private victim, the Federal government typically will not play a role in this line of effort, but will remain cognizant of the victim’s response activities consistent with these principles and coordinate with the victim. 

 

Coordination Architecture

In order to facilitate the more coordinated, integrated response demanded by significant cyber incidents, the PPD establishes a three-tiered coordination architecture for handling those incidents:  

National Policy Level:  The PPD institutionalizes the National Security Council-chaired interagency Cyber Response Group (CRG).  The CRG will coordinate the development and implementation of United States Government policy and strategy with respect to significant cyber incidents affecting the United States or its interests abroad.

National Operational Level:  The PPD directs agencies to take two actions at the national operational level in the event of a significant cyber incident. 

  • Activate enhanced internal coordination procedures.  The PPD instructs agencies that regularly participate in the Cyber Response Group to develop these procedures to ensure that they can surge effectively when confronted with an incident that exceeds their day-to-day operational capacity. 
  • Create a Unified Coordination Group.  In the event of a significant cyber incident, the PPD provides that the lead agencies for each line of effort, along with relevant Sector-Specific Agencies (SSAs), state, local, tribal and territorial governments, international counterparts, and private sector entities, will form a Cyber Unified Coordination Group (UCG) to coordinate response activities.  The Cyber UCG shall coordinate the development, prioritization, and execution of cyber response efforts, facilitate rapid information sharing among UCG members, and coordinate communications with stakeholders, including the victim entity.  

Field Level:  The PPD directs the lead agencies for each line of effort to coordinate their interaction with each other and with the affected entity.

 

Integration with Existing Response Policy

The PPD also integrates U.S. cyber incident coordination policy with key aspects of existing Federal preparedness policy to ensure that the Nation will be ready to manage incidents that include both cyber and physical effects, such as a significant power outage resulting from malicious cyber activity.  The PPD will be implemented by the Federal government consistent with existing preparedness and response efforts. 

Implementation tasks

The PPD also directs several follow-on tasks in order to ensure its full implementation.  In particular, it requires that the Administration develop and finalize the National Cyber Incident Response Plan – in coordination with State, Local, Territorial, and Tribal governments, the private sector, and the public – to further detail how the government will manage cyber incidents affecting critical infrastructure.  It also directs DHS and DOJ to develop a concept of operations for how a Cyber UCG will operate and for the NSC to update the charter for the CRG.


https://www.whitehouse.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident

July 26, 2016

Presidential Policy Directive -- United States Cyber Incident Coordination

July 26, 2016

PRESIDENTIAL POLICY DIRECTIVE/PPD-41

SUBJECT: United States Cyber Incident Coordination

The advent of networked technology has spurred innovation, cultivated knowledge, encouraged free expression, and increased the Nation’s economic prosperity. However, the same infrastructure that enables these benefits is vulnerable to malicious activity, malfunction, human error, and acts of nature, placing the Nation and its people at risk. Cyber incidents are a fact of contemporary life, and significant cyber incidents are occurring with increasing frequency, impacting public and private infrastructure located in the United States and abroad.

United States preparedness efforts have positioned the Nation to manage a broad range of threats and hazards effectively. Every day, Federal law enforcement and those agencies responsible for network defense in the United States manage, respond to, and investigate cyber incidents in order to ensure the security of our information and communications infrastructure. The private sector and government agencies have a shared vital interest in protecting the Nation from malicious cyber activity and managing cyber incidents and their consequences. The nature of cyberspace requires individuals, organizations, and the government to all play roles in incident response. Furthermore, effective incident response efforts will help support an open, interoperable, secure, and reliable information and communications infrastructure that promotes trade and commerce, strengthens international security, fosters free expression, and reinforces the privacy and security of our citizens.

While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have significant impacts on an entity, our national security, or the broader economy require a unique approach to response efforts. These significant cyber incidents demand unity of effort within the Federal Government and especially close coordination between the public and private sectors.

I. Scope

This Presidential Policy Directive (PPD) sets forth principles governing the Federal Government’s response to any cyber incident, whether involving government or private sector entities. For significant cyber incidents, this PPD also establishes lead Federal agencies and an architecture for coordinating the broader Federal Government response. This PPD also requires the Departments of Justice and Homeland Security to maintain updated contact information for public use to assist entities affected by cyber incidents in reporting those incidents to the proper authorities.

II. Definitions

  1. Cyber incident. An event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon. For purposes of this directive, a cyber incident may include a vulnerability in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.
  2. Significant cyber incident. A cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

III. Principles Guiding Incident Response

In carrying out incident response activities for any cyber incident, the Federal Government will be guided by the following principles:

  1. Shared Responsibility. Individuals, the private sector, and government agencies have a shared vital interest and complementary roles and responsibilities in protecting the Nation from malicious cyber activity and managing cyber incidents and their consequences.
  2. Risk-Based Response. The Federal Government will determine its response actions and the resources it brings to bear based on an assessment of the risks posed to an entity, our national security, foreign relations, the broader economy, public confidence, civil liberties, or the public health and safety of the American people.
  3. Respecting affected entities. To the extent permitted under law, Federal Government responders will safeguard details of the incident, as well as privacy and civil liberties, and sensitive private sector information, and generally will defer to affected entities in notifying other affected private sector entities and the public. In the event a significant Federal Government interest is served by issuing a public statement concerning an incident, Federal responders will coordinate their approach with the affected entities to the extent possible.
  4. Unity of Governmental Effort. Various government entities possess different roles, responsibilities, authorities, and capabilities that can all be brought to bear on cyber incidents. These efforts must be coordinated to achieve optimal results. Whichever Federal agency first becomes aware of a cyber incident will rapidly notify other relevant Federal agencies in order to facilitate a unified Federal response and ensure that the right combination of agencies responds to a particular incident. State, local, tribal, and territorial (SLTT) governments also have responsibilities, authorities, capabilities, and resources that can be used to respond to a cyber incident; therefore, the Federal Government must be prepared to partner with SLTT governments in its cyber incident response efforts. The transnational nature of the Internet and communications infrastructure requires the United States to coordinate with international partners, as appropriate, in managing cyber incidents.
  5. Enabling Restoration and Recovery. Federal response activities will be conducted in a manner to facilitate restoration and recovery of an entity that has experienced a cyber incident, balancing investigative and national security requirements, public health and safety, and the need to return to normal operations as quickly as possible.

IV. Concurrent Lines of Effort

In responding to any cyber incident, Federal agencies shall undertake three concurrent lines of effort: threat response; asset response; and intelligence support and related activities. In addition, when a Federal agency is an affected entity, it shall undertake a fourth concurrent line of effort to manage the effects of the cyber incident on its operations, customers, and workforce.

  1. Threat response activities include conducting appropriate law enforcement and national security investigative activity at the affected entity’s site; collecting evidence and gathering intelligence; providing attribution; linking related incidents; identifying additional affected entities; identifying threat pursuit and disruption opportunities; developing and executing courses of action to mitigate the immediate threat; and facilitating information sharing and operational coordination with asset response.
  2. Asset response activities include furnishing technical assistance to affected entities to protect their assets, mitigate vulnerabilities, and reduce impacts of cyber incidents; identifying other entities that may be at risk and assessing their risk to the same or similar vulnerabilities; assessing potential risks to the sector or region, including potential cascading effects, and developing courses of action to mitigate these risks; facilitating information sharing and operational coordination with threat response; and providing guidance on how best to utilize Federal resources and capabilities in a timely, effective manner to speed recovery.  
  3. Threat and asset responders will share some responsibilities and activities, which may include communicating with affected entities to understand the nature of the cyber incident; providing guidance to affected entities on available Federal resources and capabilities; promptly disseminating through appropriate channels intelligence and information learned in the course of the response; and facilitating information sharing and operational coordination with other Federal Government entities.
  4. Intelligence support and related activities facilitate the building of situational threat awareness and sharing of related intelligence; the integrated analysis of threat trends and events; the identification of knowledge gaps; and the ability to degrade or mitigate adversary threat capabilities.
  5. An affected Federal agency shall engage in a variety of efforts to manage the impact of a cyber incident, which may include maintaining business or operational continuity; addressing adverse financial impacts; protection of privacy; managing liability risks; complying with legal and regulatory requirements (including disclosure and notification); engaging in communications with employees or other affected individuals; and dealing with external affairs (e.g., media and congressional inquiries). The affected Federal agency will have primary responsibility for this line of effort.
  6. When a cyber incident affects a private entity, the Federal Government typically will not play a role in this line of effort, but it will remain cognizant of the affected entity’s response activities, consistent with the principles above and in coordination with the affected entity. The relevant sector-specific agency (SSA) will generally coordinate the Federal Government’s efforts to understand the potential business or operational impact of a cyber incident on private sector critical infrastructure.

V. Architecture of Federal Government Response Coordination for Significant Cyber Incidents1

In order to respond effectively to significant cyber incidents, the Federal Government will coordinate its activities in three ways:

  1. National Policy Coordination2

    The Cyber Response Group (CRG), in support of the National Security Council (NSC) Deputies and Principals Committees, and accountable through the Assistant to the President for Homeland Security and Counterterrorism (APHSCT) to the NSC chaired by the President, shall coordinate the development and implementation of United States Government policy and strategy with respect to significant cyber incidents affecting the United States or its interests abroad.
  2. National Operational Coordination
    1. Agency Enhanced Coordination Procedures. Each Federal agency that regularly participates in the CRG, including SSAs, shall establish and follow enhanced coordination procedures as defined in the annex to this PPD in situations in which the demands of responding to a significant cyber incident exceed its standing capacity.
    2. Cyber Unified Coordination Group. A Cyber Unified Coordination Group (UCG) shall serve as the primary method for coordinating between and among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts, as appropriate. A Cyber UCG shall be formed at the direction of the NSC Principals Committee, Deputies Committee, or the CRG, or when two or more Federal agencies that generally participate in the CRG, including relevant SSAs, request its formation. A Cyber UCG shall also be formed when a significant cyber incident affects critical infrastructure owners and operators identified by the Secretary of Homeland Security as owning or operating critical infrastructure for which a cyber incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.
    3. A Cyber UCG will normally consist of Federal lead agencies for threat response, asset response, and intelligence support, but will also include SSAs, if a cyber incident affects or is likely to affect sectors they represent. In addition, as required by the scope, nature, and facts of a particular significant cyber incident, a Cyber UCG may include participation from other Federal agencies, SLTT governments, nongovernmental organizations, international counterparts, or the private sector.
    4. Following the formation of a Cyber UCG, Federal agencies responding to the incident shall assign appropriate senior executives, staff, and resources to execute the agency’s responsibilities as part of a Cyber UCG. The Cyber UCG is intended to result in unity of effort and not to alter agency authorities or leadership, oversight, or command responsibilities. Unless mutually agreed upon between agency heads or their designees, and consistent with applicable legal authorities such as the Economy Act of 1932 (31 U.S.C. 1535), Federal departments and agencies will maintain operational control over their respective agency assets.
    5. Federal lead agencies. In order to ensure that the Cyber UCG achieves maximum effectiveness in coordinating responses to significant cyber incidents, the following agencies shall serve as Federal lead agencies for the specified line of effort:
      1. In view of the fact that significant cyber incidents will often involve at least the possibility of a nation-state actor or have some other national security nexus, the Department of Justice, acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force, shall be the Federal lead agency for threat response activities.
      2. The Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center, shall be the Federal lead agency for asset response activities.
      3. The Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, shall be the Federal lead agency for intelligence support and related activities.
    6.  
    7. Drawing upon the resources and capabilities across the Federal Government, the Federal lead agencies are responsible for:
      1. Coordinating any multi-agency threat or asset response activities to provide unity of effort, to include coordinating with any agency providing support to the incident, to include SSAs in recognition of their unique expertise;
      2. Ensuring that their respective lines of effort are coordinated with other Cyber UCG participants and affected entities, as appropriate;
      3. Identifying and recommending to the CRG, if elevation is required, any additional Federal Government resources or actions necessary to appropriately respond to and recover from the incident; and
      4. Coordinating with affected entities on various aspects of threat, asset, and affected entity response activities through a Cyber UCG, as appropriate.
  3.  Field-Level Coordination

    Field-level representatives of the Federal asset or threat response lead agencies shall ensure that they effectively coordinate their activities within their respective lines of effort with each other and the affected entity. Such representatives may be co-located with the affected entity.

VI. Unified Public Communications

The Departments of Homeland Security and Justice shall maintain and update as necessary a fact sheet outlining how private individuals and organizations can contact relevant Federal agencies about a cyber incident.

VII. Relationship to Existing Policy

Nothing in this directive alters, supersedes, or limits the authorities of Federal agencies to carry out their functions and duties consistent with applicable legal authorities and other Presidential guidance and directives. This directive generally relies on and furthers the implementation of existing policies and explains how United States cyber incident response structures interact with those existing policies. In particular, this policy complements and builds upon PPD-8 on National Preparedness of March 30, 2011. By integrating cyber and traditional preparedness efforts, the Nation will be ready to manage incidents that include both cyber and physical effects.

BARACK OBAMA


1 Additional details regarding the Federal Government’s coordination architecture for significant cyber incidents are contained in an annex to this PPD.

2 This sub-section supersedes NSPD-54/HSPD-23, paragraph 13, concerning the National Cyber Response Coordination Group.


https://www.whitehouse.gov/the-press-office/2016/07/26/annex-presidential-policy-directive-united-states-cyber-incident

July 26, 2016

Annex for Presidential Policy Directive -- United States Cyber Incident Coordination

SUBJECT:  Federal Government Coordination Architecture for Significant Cyber Incidents


I.   Scope

This annex to PPD-41, United States Cyber Incident Coordination Policy, provides further details concerning the Federal Government coordination architecture for significant cyber incidents and prescribes certain implementation tasks.

II.  Coordination Architecture

A. National Policy Coordination

The Cyber Response Group (CRG) shall be chaired by the Special Assistant to the President and Cybersecurity Coordinator (Chair), or an equivalent successor, and shall convene on a regular basis and as needed at the request of the Assistant to the President for Homeland Security and Counterterrorism and Deputy National Security Advisor.  Federal departments and agencies, including relevant cyber centers, shall be invited to participate in the CRG, as appropriate, based on their respective roles, responsibilities, and expertise or in the circumstances of a given incident or grouping of incidents.  CRG participants shall generally include senior representatives from the Departments of State, the Treasury, Defense (DOD), Justice (DOJ), Commerce, Energy, Homeland Security (DHS) and its National Protection and Programs Directorate, and the United States Secret Service, the Joint Chiefs of Staff, Office of the Director of National Intelligence, the Federal Bureau of Investigation, the National Cyber Investigative Joint Task Force, the Central Intelligence Agency, and the National Security Agency.  The Federal Communications Commission shall be invited to participate should the Chair assess that its inclusion is warranted by the circumstances and to the extent the Commission determines such participation is consistent with its statutory authority and legal obligations.

The CRG shall:

  1. Coordinate the development and implementation of the Federal Government’s policies, strategies, and procedures for responding to significant cyber incidents;
  2. Receive regular updates from the Federal cybersecurity centers and agencies on significant cyber incidents and measures being taken to resolve or respond to those incidents;
  3. Resolve issues elevated to it by subordinate bodies as may be established, such as a Cyber Unified Coordination Group (UCG);
  4. Collaborate with the Counterterrorism Security Group and Domestic Resilience Group when a cross-disciplinary response to a significant cyber incident is required;
  5. Identify and consider options for responding to significant cyber incidents, and make recommendations to the Deputies Committee, where higher-level guidance is required, in accordance with PPD-1 on Organization of the National Security Council System of February 13, 2009, or any successor; and
  6. Consider the policy implications for public messaging in response to significant cyber incidents, and coordinate a communications strategy, as necessary, regarding a significant cyber incident.

B. National Operational Coordination

To promote unity of effort in response to a significant cyber incident, a Cyber UCG shall:

  1. Coordinate the cyber incident response in a manner consistent with the principles described in section III of this directive;
  2. Ensure all appropriate Federal agencies, including sector-specific agencies (SSAs), are incorporated into the incident response;
  3. Coordinate the development and execution of response and recovery tasks, priorities, and planning efforts, including international and cross-sector outreach, necessary to respond appropriately to the incident and to speed recovery;
  4. Facilitate the rapid and appropriate sharing of information and intelligence among Cyber UCG participants on the incident response and recovery activities;
  5. Coordinate consistent, accurate, and appropriate communications regarding the incident to affected parties and stakeholders, including the public as appropriate; and
  6. For incidents that include cyber and physical effects, form a combined UCG with the lead Federal agency or with any UCG established to manage the physical effects of the incident under the National Response Framework developed pursuant to PPD-8 on National Preparedness.

SSAs shall be members of the UCG for significant cyber incidents that affect or are likely to affect their respective sectors.  As set forth in Presidential Policy Directive 21, the SSAs for critical infrastructure sectors are as follows:  DHS (Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Emergency Services, Government Facilities, Information Technology, Nuclear Reactors, Materials, and Waste, and Transportation Systems); DOD (Defense Industrial Base); Department of Energy (Energy); Department of the Treasury (Financial Services); Department of Agriculture (Food and Agriculture); Department of Health and Human Services (Healthcare and Public Health, and Food and Agriculture); General Services Administration (Government Facilities); Department of Transportation (Transportation Systems); and the Environmental Protection Agency (Water and Wastewater Systems).

A Cyber UCG shall operate in a manner that is consistent with the need to protect intelligence and law enforcement sources, methods, operations, and investigations, the privacy of individuals, and sensitive private sector information.

A Cyber UCG shall dissolve when enhanced coordination procedures for threat and asset response are no longer required or the authorities, capabilities, or resources of more than one Federal agency are no longer required to manage the remaining facets of the Federal response to an incident.

III.  Federal Government Response to Incidents Affecting Federal Networks

Nothing in this directive alters an agency’s obligations to comply with the requirements of the Federal Information Security Modernization Act of 2014 (FISMA) or Office of Management and Budget (OMB) guidelines related to responding to an “incident,” “breach,” or “major incident” as defined in that statute and OMB guidance.  Federal agencies shall follow OMB guidance to determine whether an incident is considered a “major incident” pursuant to FISMA.  If the cyber incident meets the threshold for a “major incident,” it is also a “significant cyber incident” for purposes of this directive and shall be managed in accordance with this directive.

A. Civilian Federal Networks

The Director of OMB oversees Federal agency information security policies and practices.  The Secretary of Homeland Security, in consultation with the Director of OMB, administers the implementation of Federal agency information security policies and practices and operates the Federal information security incident center.  The National Institute of Standards and Technology (NIST) develops standards and guidelines for Federal information systems that are mandatory for Federal agencies to implement. 

Federal agencies shall respond to significant cyber incidents in accordance with this directive and applicable policies and procedures, including the reporting of incidents to DHS as required by the U.S. Computer Emergency Readiness Team Federal incident notification guidelines.

Where the effects of a significant cyber incident are limited to the operational activities of an individual Federal agency, that affected agency shall maintain primary authority over the affected assets and be responsible for managing the restoration services and related networks, systems, and applications and making the decision to restart an affected system.  DHS and other Federal agencies shall provide support as appropriate.

Where a significant cyber incident has an impact on multiple Federal agencies or on the integrity, confidentiality, or availability of services to the public, the decision to restart an affected system rests with the owning Federal agency, but OMB and the Federal lead agencies for threat and asset response shall provide a consolidated, timely written recommendation, with appropriate caveats and conditions, to help inform that owning agency’s decision.

B. DOD Information Network

The Secretary of Defense shall be responsible for managing the threat and asset response to cyber incidents affecting the Department of Defense Information Network, including restoration activities, with support from other Federal agencies as appropriate.

C. Intelligence Community Networks

The Director of National Intelligence shall be responsible for managing the threat and asset response for the integrated defense of the Intelligence Community (IC) information environment through the Intelligence Community Security Coordination Center, in conjunction with IC mission partners and with support from other Federal agencies, as appropriate.

IV.  Implementation and Assessment

Federal agencies shall take the following actions to implement this directive:

A. Charter 

Within 90 days of the date of this directive, the National Security Council (NSC) staff shall update the CRG charter to account for and support the policy set forth herein, which shall be submitted to the President through the Assistant to the President for Homeland Security and Counterterrorism.

B. Enhanced Coordination Procedures

Each Federal agency that regularly participates in the CRG, including SSAs, shall ensure that it has the standing capacity to execute its role in cyber incident response.  To prepare for situations in which the demands of a significant cyber incident exceed its standing capacity, each such agency shall, within 90 days of the date of this directive, establish enhanced coordination procedures that, when activated, bring dedicated leadership, supporting personnel, facilities (physical and communications), and internal processes enabling it to manage a significant cyber incident under demands that would exceed its capacity to coordinate under normal operating conditions.

Within 90 days of the date of this directive, the SSAs shall develop or update sector-specific procedures, as needed and in consultation with the sector(s), for enhanced coordination to support response to a significant cyber incident, consistent with this directive.

Enhanced coordination procedures shall identify the appropriate pathways for communicating with other Federal agencies during a significant cyber incident, including the relevant agency points-of-contact, and for notifying the CRG that enhanced coordination procedures were activated or initiated; highlight internal communications and decisionmaking processes that are consistent with effective incident coordination; and outline processes for maintaining these procedures.

In addition, each Federal agency’s enhanced coordination procedures shall identify the agency’s processes and existing capabilities to coordinate cyber incident response activities in a manner consistent with this directive.  The procedures shall identify a trained senior executive to oversee that agency’s participation in a Cyber UCG.  SSAs shall have a trained senior executive for each of the sectors for which it is the designated SSA under Presidential Policy Directive 21.

Within 120 days of the date of this directive, the SSAs shall coordinate with critical infrastructure owners and operators to synchronize sector-specific planning consistent with this directive. 

C. Training 

Within 150 days of the date of this directive, the Federal Emergency Management Agency shall make necessary updates to its existing Unified Coordination training to incorporate the tenets of this directive.

Within 150 days of the date of this directive, Federal agencies shall update cyber incident coordination training to incorporate the tenets of this directive.

Federal agencies shall identify and maintain a cadre of personnel qualified and trained in the National Incident Management System and Unified Coordination to manage and respond to a significant cyber incident.  These personnel will provide necessary expertise to support tasking and decisionmaking by a Cyber UCG.

D. Exercises 

Within 180 days of the date of this directive, Federal agencies shall incorporate the tenets of this policy in cyber incident response exercises.  This will include exercises conducted as part of the National Exercise Program.  Exercises shall be conducted at a frequency necessary to ensure Federal agencies are prepared to execute the plans and procedures called for under this directive.  When appropriate, exercises shall consider the effectiveness of the end-to-end information sharing process.

E. Cyber UCG Post-Incident Review 

Upon dissolution of each Cyber UCG, the Chair of the CRG shall direct a review of a Cyber UCG’s response to a significant cyber incident at issue and the preparation of a report based on that review to be provided to the CRG within 30 days.  Federal agencies shall modify any plans or procedures for which they are responsible under this directive as appropriate or necessary in light of that report.

F. National Cyber Incident Response Plan

Within 180 days of the date of this directive, DHS and DOJ, in coordination with the SSAs, shall submit a concept of operations for the Cyber UCG to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Director of OMB, that is consistent with the principles, policies, and coordination architecture set forth in this directive.  This concept of operations shall further develop how the Cyber UCG and field elements of the Federal coordination architecture will work in practice for significant cyber incidents, including mechanisms for coordinating with Federal agencies managing the physical effects of an incident that has both cyber and physical elements and for integration of private sector entities in response activities when appropriate.  The Secretary of Homeland Security shall, as appropriate, incorporate or reference this concept of operations in the Cyber Incident Annex required by section 205 of the Cybersecurity Act of 2015.

Within 180 days of the date of this directive, the Secretary of Homeland Security, in coordination with the Attorney General, the Secretary of Defense, and the SSAs, shall submit a national cyber incident response plan to address cybersecurity risks to critical infrastructure to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Director of OMB, that is consistent with the principles, policies, and coordination architecture set forth in this directive.  The Secretary of Homeland Security shall ensure that the plan satisfies section 7 of the National Cybersecurity Protection Act of 2014.  This plan shall be developed in consultation with SLTT governments, sector coordinating councils, information sharing and analysis organizations, owners and operators of critical infrastructure, and other appropriate entities and individuals.  The plan shall take into account how these stakeholders will coordinate with Federal agencies to mitigate, respond to, and recover from cyber incidents affecting critical infrastructure.