CISA releases first draft of updated National Cyber Incident Response Plan

The first draft of the long-awaited update to the National Cyber Incident Response Plan (NCIRP) was published on Monday — marking the first proposed changes to the plan since it was released in 2016.

The 42-page updated NCIRP outlines what the government would do in response to a large-scale cyberattack impacting the national economy. It details how government agencies would coordinate, who would be in charge of key decisions and what would be prioritized. 

It would also cover “structures that response stakeholders should leverage to coordinate cyber incidents requiring cross-sector, public-private, or federal coordination,” according to the Cybersecurity and Infrastructure Security Agency (CISA), which worked on the updated plan with the Office of the National Cyber Director (ONCD) and private sector members of the Joint Cyber Defense Collaborative (JCDC).

CISA officials reiterated that it is not meant to be a strict instruction manual but more of a general outline “that ensures coherent coordination” to match the pace of U.S. adversaries.

“Today’s increasingly complex threat environment demands that we have a seamless, agile, and effective incident response framework,” said CISA Director Jen Easterly. 

“This draft NCIRP Update leverages the lessons learned over the past several years to achieve a deeper unity of effort between the government and the private sector. We encourage public comment and feedback to help us ensure its maximum effectiveness.”

Jeff Greene, executive assistant director for cybersecurity at CISA, told reporters during a press briefing that the agency worked with the private sector to discuss how non-federal stakeholders would participate in the coordination of cyber incident response.

The plan from 2016 was streamlined and updated to include several government agencies, including CISA itself, that did not exist when the plan was first created. The plan covers legal and policy changes that may impact the role of certain government agencies and outlines when the NCIRP will need to be updated next. 

Greene said the plan “is an agile, actionable, updated framework.” The public comment period ends on January 15, 2025.

More than 150 experts from 66 organizations participated in its creation, Greene added.

“Along this way, we hosted three public listening sessions that provided really informative and beneficial feedback, and we've been able to incorporate those stakeholder perspectives,” he said.

“The rule today really requires our nation to be prepared to handle significant cyber incidents that are going to threaten our economy, our national security, as well as our public health and safety.”

Greene added that CISA and other stakeholders looked back at previous incidents and examined how the government responded, helping them to shape the plan based on those lessons. 

As they move forward, Greene said he hopes that every time there is a cyber incident responders will have the ability to look back and see what was helpful in the document, or what was not properly outlined. 

An update to the plan was called for in last year’s National Cyber Strategy, and CISA faced bipartisan backlash in September 2023 for its refusal to create a specific Continuity of the Economy (COTE) plan for a major cyberattack. 

That plan — the creation of which was written into the National Defense Authorization Act for fiscal 2021 — would outline measures the federal government would take in the event of a cyberattack that damaged the U.S. economy in a significant way.

Congress ordered the White House to create the plan in 2021 and finally got a response in August in the form of a 29-page report from CISA arguing that a new COTE plan would be unnecessary considering there are already several plans in place to help the country respond and recover from any cyberattack that causes significant disruption to the U.S. economy.