CISA working on updated National Cyber Incident Response Plan

The Cybersecurity and Infrastructure Security Agency (CISA) is working with industry stakeholders and government agencies on a new version of the National Cyber Incident Response Plan (NCIRP) — the framework that outlines the country’s response to significant cyber incidents.

The updated plan was mandated in the 2023 National Cybersecurity Strategy, and CISA is now working with the Office of the National Cyber Director (ONCD) to coordinate input from regulators, critical infrastructure organizations and more.

Eric Goldstein, executive assistant director for Cybersecurity at CISA, said in a statement on Friday that a new version of the plan was needed since the original was first released seven years ago.

“Our approach to update the NCIRP will be grounded in transparency and collaboration, recognizing that the private sector is often the first responder to many cyber incidents and that adversary campaigns increasingly transcend national borders,” he said.

“Our goal is… to provide an agile, actionable framework that can be actively used by every organization involved in cyber incident response to ensure coherent coordination that matches the pace of our adversaries.”

Goldstein added that the new plan seeks to “more effectively respond to and recover from cyber incidents in a manner that reduces harm to every possible victim.”

Neither CISA nor ONCD existed when the plan was first released, and the agencies noted that the cybersecurity landscape has changed drastically, with more mature incident response plans used by a variety of private sector organizations in a threat landscape that now includes devastating ransomware attacks.

Federal CISO and Deputy National Cyber Director Christopher DeRusha explained that the plan is vital to the government’s work in becoming more “collaborative, agile and responsive to the evolving threat landscape.”

CISA began meeting with stakeholders in September and will continue holding listening sessions through November. In December, they will shift to writing the document before opening it up to the public for comment.

According to a fact sheet shared by the agency, they expect the updated plan to be approved and published by the end of calendar year 2024.

CISA faced bipartisan backlash in September for its refusal to create a specific Continuity of the Economy (COTE) plan for a major cyberattack. The plan — which was written into the National Defense Authorization Act for fiscal 2021 — would outline measures the federal government would take in the event of a cyberattack that damaged the U.S. economy in a significant way.

Congress ordered the White House to create the plan in 2021 and finally got a response in August. The 29-page report from CISA argues that a new COTE plan would be unnecessary considering there are already several plans in place to help the country respond and recover from any cyberattack that causes significant disruption to the U.S. economy.

Some industry stakeholders warned the federal government that detailed plans were needed for how coordination would work in the event of a large-scale cyberattack affecting critical parts of the U.S. economy or government.