DHS Updates the National Cyber Incident Response Plan

  • The Department of Homeland Security recently updated the National Cyber Incident Response Plan.
  • The plan is a strategic framework for understanding the Federal role in responding to a cyber incident. 
  • The federal government assists in threat response, asset response and intelligence support. 

The 2014 Sony hack exposed major shortcomings in how the public and private sectors coordinate in the aftermath of a cyber attack. Three years later, cyber incidents have only increased in frequency, and created a sense of urgency for the Department of Homeland Security to develop a framework on how to improve public-private coordination immediately following an attack.

In December 2016,  the Department of Homeland Security released the updated National Cyber Incident Response Plan (NCIRP). The NCIRP is a comprehensive strategic framework covering the roles and responsibilities of every Federal agency involved in responding to any major cyber incident. CIOs, privacy professionals and the gatekeepers of critical infrastructure should familiarize themselves with the basic structures and processes of the NCIRP in order to more effectively respond to a security breach.

Here’s a breakdown of who handles what, per the NCIRP:



Threat Response

Threat response is an immediate priority in responding to any cyber incident. This is handled by both the Federal Bureau of Investigation (FBI) and the National Cyber Investigative Joint Task Force (NCIJTF). The NCIJTF is comprised of over 20 partnering agencies from law enforcement, intelligence community, and Department of Defense. Their focus, along with the FBI, is to identify, pursue, capture, and prosecute those responsible.


Asset Response

Federal asset response is designed to provide technical assistance to the victim of a cyber incident.  Asset response includes helping the breached entity to protect their information, reduce the impact of the breach, and take steps to prevent further hacking. This is coordinated by both the Department of Homeland Security (DHS) and the National Cybersecurity and Communications Integration Center (NCCIC).


Intelligence Support

The Cyber Threat Intelligence Integration Center (CTIIC) is the newest of four multi agency intelligence centers under the Office of the Director of National Intelligence (ODNI). The CTIIC is responsible for coordinating intelligence gathering, analysis, and application to the cyber incident. They also make relevant existing intelligence available to the right parties if necessary. The ODNI will be something to keep an eye on, as the incoming Trump administration has signaled a desire to slim down and streamline that agency.


A Useful Roadmap

Cyber incidents are, unfortunately, a reality for businesses in today’s world. But knowing how the Feds will respond under the NCIRP of 2016 will help private entities work with them more effectively, and efficiently, in the event of a breach.

It is important to note that some states are establishing their own incident response frameworks. How state efforts supplement and overlap with the federal framework is a discussion for another post.  The takeaway today is that the Federal government has an in-place process for incident response. The process is complex and involves multiple agencies. Nevertheless, it is vital that companies be prepared to interact with the process and successfully navigate its complexities.

Author: Josh Rittenberg

Josh Rittenberg is the Founder and Editor of Breach Memo. He is an attorney in New York City who first became interested in emerging threats while working as an analyst at the Center for Strategic and International Studies (CSIS) Transnational Threats Program in Washington, DC. He has been published by NPR, The American Lawyer, Corporate Counsel, and the CSIS Transnational Threats Update. The views expressed in this blog are his personally and not those of any other person, organization, or other entity.

No Comments Yet.

Leave a Reply

Your email address will not be published. Required fields are marked *