Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.

What’s in the Updated National Cyber Incident Response Plan?

Late last year, the Cybersecurity and Infrastructure Security Agency (CISA) published the draft National Cyber Incident Response plan (NCIRP).

What was in the update sent out for public comment?

Read on to find out.

What’s the National Cyber Incident Response Plan

 

Well, what’s the NCIRP in the first place? For those who don’t know, the National Cyber Incident Response Plan is the nation’s strategic framework for coordinated response to cyber incidents.

 

First released in 2016, the plan identifies the structures that response stakeholders should use to coordinate cyber incidents requiring cross-sector, public-private, or federal coordination, describing the following four lines of effort:

 

  • Asset response
  • Threat response
  • Intelligence support
  • Affected entity response

 

Although the NCIRP is quite detailed, it’s not actually meant to be a step-by-step instruction manual. Those using the plan should instead approach it as a flexible structure that responders can use to shape their efforts and maximize efficiency and coordination.

 

Cyber incident response phases

 

One of the interesting points about the NCIRP is that it distinguishes between two main cyber incident response phases: detection and response. How do they differ?

 

As you’d imagine, the detection phase encompasses a broad set of continuous monitoring, analysis, and detection activities to validate a reported incident and assess whether it rises to the level of a significant cyber incident.

 

The response phase, on the other hand, encompasses activities to contain, eradicate, and recover from incidents and to carry out law enforcement and intelligence activities necessary to attribute the incident and hold the perpetrators accountable.  

 

It’s also important to note that response activities within the scope of the NCIRP are focused on the cybersecurity aspects of the incident, while broader consequence management (including impacts to people and physical infrastructure) should be handled by other processes.

 

Why change now?

 

So, why update the National Cyber Incident Response plan now? For starters, much has changed in the cyber world since 2016.

 

A massive increase in cyber threats from state and no-state actors precipitated an update in national cybersecurity strategy, and the resulting Strategy document (2023 National Cybersecurity Strategy) called for an update of the 2016 NCIRP.

 

For the NCIRP update itself, CISA says it collaborated with other government agencies as well as industry partners “to provide an agile, actionable updated framework that ensures coherent coordination to match the pace of our adversaries.”

 

Key updates to the NCIRP draft

 

In turn, this attention to the cyber environment, affected of course by the pace set by adversaries, colored the precise kinds of updates made to the NCIRP draft. So, what are the main takeaways from the updated draft? The four key updates in the draft include:

 

  • A defined path for non-federal stakeholders to participate in coordination of cyber incident response
  • Improved usability by streamlining content and aligning to an operational lifecycle
  • Relevant legal and policy changes impacting agency roles and responsibilities
  • A predictable cycle for future updates of the NCIRP

What happens next? The draft NCIRP update has gone to public comment. And the public comment period has been extended until February 2025.

 

However, as the Update itself responds to the deteriorating cybersecurity environment, organizations would do well to read the draft and tease out meaningful measures they can implement expeditiously.

 

If you’re looking for more strategies to improve your cyber incident response and preparedness, we have just the guide for you. Check out our Guide to Improving Cyber Incident Response and Management for more.

 

New call-to-action