26 July 2016
Presidential Policy Directive PPD-41 on United States Cyber Incident
July 26, 2016
FACT SHEET: Presidential Policy Directive on United States Cyber
The new directive spells out how the Federal government will coordinate
its incident response activities in the event of a large-scale cyber
Today, the President approved a Presidential Policy Directive (PPD) on United
States Cyber Incident Coordination. This new PPD marks a major milestone
in codifying the policy that governs the Federal governmentâs
response to significant cyber incidents.
Since the beginning of his Administration, President Obama has emphasized
that malicious cyber activity poses a serious threat to the national and
economic security of the United States. As set forth in the
National Action Plan, over the last seven and a half years the
Administrationâs cyber policy has been based on three strategic
pillars: raising the level of cybersecurity in our public, private,
and consumer sectors, in both the short and the long-term; taking steps to
deter, disrupt, and interfere with malicious cyber activity aimed at the
United States or its allies; and responding effectively to and recovering
from cyber incidents.
Even as we have made progress on all three pillars, the United States has
been faced with managing increasingly significant cyber incidents affecting
both the private sector and Federal government. We have applied the
lessons learned from these events, as well as our experience in other areas
such as counterterrorism and disaster response. That experience has
allowed us to hone our approach but also demonstrated that significant cyber
incidents demand a more coordinated, integrated, and structured response.
We have also heard from the private sector the need to provide clarity and
guidance about the Federal governmentâs roles and
responsibilities. The PPD builds on these lessons and
institutionalizes our cyber incident coordination efforts in numerous respects,
Establishing clear principles that will govern the Federal
governmentâs activities in cyber incident response;
Differentiating between significant cyber incidents and steady-state incidents
and applying the PPDâs guidance primarily to significant
Categorizing the governmentâs activities into specific
lines of effort and designating a lead agency for each line of effort in
the event of a significant cyber incident;
Creating mechanisms to coordinate the Federal governmentâs
response to significant cyber incidents, including a Cyber Unified Coordination
Group similar in concept to what is used for incidents with physical effects,
and enhanced coordination procedures within individual agencies;
Applying these policies and procedures to incidents where a Federal department
or agency is the victim; and,
Ensuring that our cyber response activities are consistent and integrated
with broader national preparedness and incident response policies, such as
those implemented through
Policy Directive 8-National Preparedness, so that our response to a cyber
incident can seamlessly integrate with actions taken to address physical
consequences caused by malicious cyber activity.
We also are releasing today a cyber incident severity schema that establishes
a common framework within the Federal government for evaluating and assessing
the severity of cyber incidents and will help identify significant cyber
incidents to which the PPDâs coordination procedures would
Incident Response Principles
The PPD outlines five principles that will guide the Federal government during
any cyber incident response:
Shared Responsibility â Individuals, the
private sector, and government agencies have a shared vital interest and
complementary roles and responsibilities in protecting the Nation from malicious
cyber activity and managing cyber incidents and their consequences.
Risk-Based Response â The Federal government
will determine its response actions and resource needs based on an
assessment of the risks posed to an entity, national security interests,
foreign relations, or economy of the United States or to the public confidence,
civil liberties, or public health and safety of the American people.
Respecting Affected Entities â Federal
government responders will safeguard details of the incident, as well as
privacy and civil liberties, and sensitive private sector information.
Unity of Effort â Whichever Federal agency
first becomes aware of a cyber incident will rapidly notify other relevant
Federal agencies in order to facilitate a unified Federal response and ensure
that the right combination of agencies responds to a particular incident.
Enabling Restoration and Recovery â Federal
response activities will be conducted in a manner to facilitate restoration
and recovery of an entity that has experienced a cyber incident, balancing
investigative and national security requirements with the need to return
to normal operations as quickly as possible.
Significant Cyber Incidents
While the Federal government will adhere to the five principles in responding
to any cyber incident, the PPDâs policies and procedures
are aimed at a particular class of cyber incident: significant cyber
incidents. A significant cyber incident is one that either singularly
or as part of a group of related incidents is likely to result in demonstrable
harm to the national security interests, foreign relations, or economy of
the United States or to the public confidence, civil liberties, or public
health and safety of the American people.
When a cyber incident occurs, determining its potential severity is critical
to ensuring the incident receives the appropriate level of attention.
No two incidents are the same and, particularly at the initial stages, important
information, including the nature of the perpetrator, may be
Therefore, as part of the process of developing the incident response policy,
the Administration also developed a common schema for describing the severity
of cyber incidents, which can include credible reporting of a cyber threat,
observed malicious cyber activity, or both. The schema establishes
a common framework for evaluating and assessing cyber incidents to ensure
that all Federal departments and agencies have a common view of the severity
of a given incident, the consequent urgency of response efforts, and the
need for escalation to senior levels.
The schema describes a cyber incidentâs severity from a
national perspective, defining six levels, zero through five, in ascending
order of severity. Each level describes the incidentâs
potential to affect public health or safety, national security, economic
security, foreign relations, civil liberties, or public confidence.
An incident that ranks at a level 3 or above on this schema is considered
âsignificantâ and will trigger application
of the PPDâs coordination mechanisms.
Lines of Effort and Lead Agencies
To establish accountability and enhance clarity, the PPD organizes Federal
response activities into three lines of effort and establishes a Federal
lead agency for each:
Threat response activities include the law enforcement and national security
investigation of a cyber incident, including collecting evidence, linking
related incidents, gathering intelligence, identifying opportunities for
threat pursuit and disruption, and providing attribution. The
Department of Justice, acting through the Federal Bureau of Investigation
(FBI) and the National Cyber Investigative Joint Task Force (NCIJTF), will
be the Federal lead agency for threat response activities.
Asset response activities include providing technical assets and assistance
to mitigate vulnerabilities and reducing the impact of the incident, identifying
and assessing the risk posed to other entities and mitigating those risks,
and providing guidance on how to leverage Federal resources and
capabilities. The Department of Homeland Security (DHS),
acting through the National Cybersecurity and Communications Integration
Center (NCCIC), will be the Federal lead agency for asset response
activities. The PPD directs DHS to coordinate closely with the
relevant Sector-Specific Agency, which will depend on what kind of organization
is affected by the incident.
Intelligence Support and related activities include intelligence collection
in support of investigative activities, and integrated analysis of threat
trends and events to build situational awareness and to identify knowledge
gaps, as well as the ability to degrade or mitigate adversary threat
capabilities. The Office of the Director of National Intelligence,
through the Cyber Threat Intelligence Integration Center, will be the Federal
lead agency for intelligence support and related activities.
In addition to these lines of effort, a victim will undertake a wide variety
of response activities in order to maintain business or operational continuity
in the event of a cyber incident. We recognize that for the victim,
these activities may well be the most important. Such efforts can include
communications with customers and the workforce; engagement with stakeholders,
regulators, or oversight bodies; and recovery and reconstitution
efforts. When a Federal agency is a victim of a significant cyber
incident, that agency will be the lead for this fourth line of effort.
In the case of a private victim, the Federal government typically will not
play a role in this line of effort, but will remain cognizant of the
victimâs response activities consistent with these principles
and coordinate with the victim.
In order to facilitate the more coordinated, integrated response demanded
by significant cyber incidents, the PPD establishes a three-tiered coordination
architecture for handling those incidents:
National Policy Level: The PPD institutionalizes the National Security
Council-chaired interagency Cyber Response Group (CRG). The CRG will
coordinate the development and implementation of United States Government
policy and strategy with respect to significant cyber incidents affecting
the United States or its interests abroad.
National Operational Level: The PPD directs agencies to take two actions
at the national operational level in the event of a significant cyber
Activate enhanced internal coordination procedures. The PPD instructs
agencies that regularly participate in the Cyber Response Group to develop
these procedures to ensure that they can surge effectively when confronted
with an incident that exceeds their day-to-day operational capacity.
Create a Unified Coordination Group. In the event of a significant
cyber incident, the PPD provides that the lead agencies for each line of
effort, along with relevant Sector-Specific Agencies (SSAs), state, local,
tribal and territorial governments, international counterparts, and private
sector entities, will form a Cyber Unified Coordination Group (UCG) to coordinate
response activities. The Cyber UCG shall coordinate the development,
prioritization, and execution of cyber response efforts, facilitate rapid
information sharing among UCG members, and coordinate communications with
stakeholders, including the victim entity.
Field Level: The PPD directs the lead agencies for each line of effort
to coordinate their interaction with each other and with the affected entity.
Integration with Existing Response Policy
The PPD also integrates U.S. cyber incident coordination policy with key
aspects of existing Federal preparedness policy to ensure that the Nation
will be ready to manage incidents that include both cyber and physical effects,
such as a significant power outage resulting from malicious cyber
activity. The PPD will be implemented by the Federal government consistent
with existing preparedness and response efforts.
The PPD also directs several follow-on tasks in order to ensure its full
implementation. In particular, it requires that the Administration
develop and finalize the National Cyber Incident Response Plan
â in coordination with State, Local, Territorial, and Tribal
governments, the private sector, and the public â to further
detail how the government will manage cyber incidents affecting critical
infrastructure. It also directs DHS and DOJ to develop a concept of
operations for how a Cyber UCG will operate and for the NSC to update the
charter for the CRG.
July 26, 2016
Presidential Policy Directive -- United States Cyber Incident
July 26, 2016
PRESIDENTIAL POLICY DIRECTIVE/PPD-41
SUBJECT: United States Cyber Incident Coordination
The advent of networked technology has spurred innovation, cultivated knowledge,
encouraged free expression, and increased the Nationâs
economic prosperity. However, the same infrastructure that enables these
benefits is vulnerable to malicious activity, malfunction, human error, and
acts of nature, placing the Nation and its people at risk. Cyber incidents
are a fact of contemporary life, and significant cyber incidents are occurring
with increasing frequency, impacting public and private infrastructure located
in the United States and abroad.
United States preparedness efforts have positioned the Nation to manage a
broad range of threats and hazards effectively. Every day, Federal law
enforcement and those agencies responsible for network defense in the United
States manage, respond to, and investigate cyber incidents in order to ensure
the security of our information and communications infrastructure. The private
sector and government agencies have a shared vital interest in protecting
the Nation from malicious cyber activity and managing cyber incidents and
their consequences. The nature of cyberspace requires individuals, organizations,
and the government to all play roles in incident response. Furthermore, effective
incident response efforts will help support an open, interoperable, secure,
and reliable information and communications infrastructure that promotes
trade and commerce, strengthens international security, fosters free expression,
and reinforces the privacy and security of our citizens.
While the vast majority of cyber incidents can be handled through existing
policies, certain cyber incidents that have significant impacts on an entity,
our national security, or the broader economy require a unique approach to
response efforts. These significant cyber incidents demand unity of effort
within the Federal Government and especially close coordination between the
public and private sectors.
This Presidential Policy Directive (PPD) sets forth principles governing
the Federal Governmentâs response to any cyber incident,
whether involving government or private sector entities. For significant
cyber incidents, this PPD also establishes lead Federal agencies and an
architecture for coordinating the broader Federal Government response. This
PPD also requires the Departments of Justice and Homeland Security to maintain
updated contact information for public use to assist entities affected by
cyber incidents in reporting those incidents to the proper authorities.
Cyber incident. An event occurring on or conducted through
a computer network that actually or imminently jeopardizes the integrity,
confidentiality, or availability of computers, information or communications
systems or networks, physical or virtual infrastructure controlled by computers
or information systems, or information resident thereon. For purposes of
this directive, a cyber incident may include a vulnerability in an information
system, system security procedures, internal controls, or implementation
that could be exploited by a threat source.
cyber incident. A cyber incident that is (or group of related cyber
incidents that together are) likely to result in demonstrable harm to the
national security interests, foreign relations, or economy of the United
States or to the public confidence, civil liberties, or public health and
safety of the American people.
III. Principles Guiding Incident Response
In carrying out incident response activities for any cyber incident, the
Federal Government will be guided by the following principles:
Shared Responsibility. Individuals, the private sector,
and government agencies have a shared vital interest and complementary roles
and responsibilities in protecting the Nation from malicious cyber activity
and managing cyber incidents and their consequences.
Risk-Based Response. The Federal Government will determine
its response actions and the resources it brings to bear based on an assessment
of the risks posed to an entity, our national security, foreign relations,
the broader economy, public confidence, civil liberties, or the public health
and safety of the American people.
Respecting affected entities. To the extent permitted under
law, Federal Government responders will safeguard details of the incident,
as well as privacy and civil liberties, and sensitive private sector information,
and generally will defer to affected entities in notifying other affected
private sector entities and the public. In the event a significant Federal
Government interest is served by issuing a public statement concerning an
incident, Federal responders will coordinate their approach with the affected
entities to the extent possible.
Unity of Governmental Effort. Various government entities
possess different roles, responsibilities, authorities, and capabilities
that can all be brought to bear on cyber incidents. These efforts must be
coordinated to achieve optimal results. Whichever Federal agency first becomes
aware of a cyber incident will rapidly notify other relevant Federal agencies
in order to facilitate a unified Federal response and ensure that the right
combination of agencies responds to a particular incident. State, local,
governments also have responsibilities, authorities, capabilities, and resources
that can be used to respond to a cyber incident; therefore, the Federal
Government must be prepared to partner with SLTT governments in its cyber
incident response efforts. The transnational nature of the Internet and
communications infrastructure requires the United States to coordinate with
international partners, as appropriate, in managing cyber incidents.
Enabling Restoration and Recovery. Federal response activities
will be conducted in a manner to facilitate restoration and recovery of an
entity that has experienced a cyber incident, balancing investigative and
national security requirements, public health and safety, and the need to
return to normal operations as quickly as possible.
IV. Concurrent Lines of Effort
In responding to any cyber incident, Federal agencies shall undertake three
concurrent lines of effort: threat response; asset response; and intelligence
support and related activities. In addition, when a Federal agency is an
affected entity, it shall undertake a fourth concurrent line of effort to
manage the effects of the cyber incident on its operations, customers, and
Threat response activities include conducting appropriate law enforcement
and national security investigative activity at the affected
entityâs site; collecting evidence and gathering intelligence;
providing attribution; linking related incidents; identifying additional
affected entities; identifying threat pursuit and disruption opportunities;
developing and executing courses of action to mitigate the immediate threat;
and facilitating information sharing and operational coordination with asset
Asset response activities include furnishing technical assistance to affected
entities to protect their assets, mitigate vulnerabilities, and reduce impacts
of cyber incidents; identifying other entities that may be at risk and assessing
their risk to the same or similar vulnerabilities; assessing potential risks
to the sector or region, including potential cascading effects, and developing
courses of action to mitigate these risks; facilitating information sharing
and operational coordination with threat response; and providing guidance
on how best to utilize Federal resources and capabilities in a timely, effective
manner to speed recovery.
Threat and asset responders will share some responsibilities and activities,
which may include communicating with affected entities to understand the
nature of the cyber incident; providing guidance to affected entities on
available Federal resources and capabilities; promptly disseminating through
appropriate channels intelligence and information learned in the course of
the response; and facilitating information sharing and operational coordination
with other Federal Government entities.
Intelligence support and related activities facilitate the building of
situational threat awareness and sharing of related intelligence; the integrated
analysis of threat trends and events; the identification of knowledge gaps;
and the ability to degrade or mitigate adversary threat capabilities.
An affected Federal agency shall engage in a variety of efforts to manage
the impact of a cyber incident, which may include maintaining business or
operational continuity; addressing adverse financial impacts; protection
of privacy; managing liability risks; complying with legal and regulatory
requirements (including disclosure and notification); engaging in communications
with employees or other affected individuals; and dealing with external affairs
(e.g., media and congressional inquiries). The affected Federal agency will
have primary responsibility for this line of effort.
When a cyber incident affects a private entity, the Federal Government typically
will not play a role in this line of effort, but it will remain cognizant
of the affected entityâs response activities, consistent
with the principles above and in coordination with the affected entity. The
relevant sector-specific agency (SSA) will generally coordinate the Federal
Governmentâs efforts to understand the potential business
or operational impact of a cyber incident on private sector critical
V. Architecture of Federal Government Response Coordination for
Significant Cyber Incidents1
In order to respond effectively to significant cyber incidents, the Federal
Government will coordinate its activities in three ways:
National Policy Coordination2
The Cyber Response Group (CRG), in support of the National Security Council
(NSC) Deputies and Principals Committees, and accountable through the Assistant
to the President for Homeland Security and Counterterrorism (APHSCT) to the
NSC chaired by the President, shall coordinate the development and implementation
of United States Government policy and strategy with respect to significant
cyber incidents affecting the United States or its interests abroad.
National Operational Coordination
Agency Enhanced Coordination Procedures. Each Federal agency that regularly
participates in the CRG, including SSAs, shall establish and follow enhanced
coordination procedures as defined in the annex to this PPD in situations
in which the demands of responding to a significant cyber incident exceed
its standing capacity.
Cyber Unified Coordination Group. A Cyber Unified Coordination Group (UCG)
shall serve as the primary method for coordinating between and among Federal
agencies in response to a significant cyber incident as well as for integrating
private sector partners into incident response efforts, as appropriate. A
Cyber UCG shall be formed at the direction of the NSC Principals Committee,
Deputies Committee, or the CRG, or when two or more Federal agencies that
generally participate in the CRG, including relevant SSAs, request its formation.
A Cyber UCG shall also be formed when a significant cyber incident affects
critical infrastructure owners and operators identified by the Secretary
of Homeland Security as owning or operating critical infrastructure for which
a cyber incident could reasonably result in catastrophic regional or national
effects on public health or safety, economic security, or national security.
A Cyber UCG will normally consist of Federal lead agencies for threat response,
asset response, and intelligence support, but will also include SSAs, if
a cyber incident affects or is likely to affect sectors they represent. In
addition, as required by the scope, nature, and facts of a particular significant
cyber incident, a Cyber UCG may include participation from other Federal
agencies, SLTT governments, nongovernmental organizations, international
counterparts, or the private sector.
Following the formation of a Cyber UCG, Federal agencies responding to the
incident shall assign appropriate senior executives, staff, and resources
to execute the agencyâs responsibilities as part of a Cyber
UCG. The Cyber UCG is intended to result in unity of effort and not to alter
agency authorities or leadership, oversight, or command responsibilities.
Unless mutually agreed upon between agency heads or their designees, and
consistent with applicable legal authorities such as the Economy Act of 1932
(31 U.S.C. 1535), Federal departments and agencies will maintain operational
control over their respective agency assets.
Federal lead agencies. In order to ensure that the Cyber UCG achieves maximum
effectiveness in coordinating responses to significant cyber incidents, the
following agencies shall serve as Federal lead agencies for the specified
line of effort:
In view of the fact that significant cyber incidents will often involve at
least the possibility of a nation-state actor or have some other national
security nexus, the Department of Justice, acting through the Federal Bureau
of Investigation and the National Cyber Investigative Joint Task Force, shall
be the Federal lead agency for threat response activities.
The Department of Homeland Security, acting through the National Cybersecurity
and Communications Integration Center, shall be the Federal lead agency for
asset response activities.
The Office of the Director of National Intelligence, through the Cyber Threat
Intelligence Integration Center, shall be the Federal lead agency for
intelligence support and related activities.
Drawing upon the resources and capabilities across the Federal Government,
the Federal lead agencies are responsible for:
Coordinating any multi-agency threat or asset response activities to provide
unity of effort, to include coordinating with any agency providing support
to include SSAs in recognition of their unique expertise;
Ensuring that their respective lines of effort are coordinated with other
Cyber UCG participants and affected entities, as appropriate;
Identifying and recommending to the CRG, if elevation is required, any additional
Federal Government resources or actions necessary to appropriately respond
to and recover from the incident; and
Coordinating with affected entities on various aspects of threat, asset,
and affected entity response activities through a Cyber UCG, as appropriate.
Field-level representatives of the Federal asset or threat response lead
agencies shall ensure that they effectively coordinate their activities within
their respective lines of effort with each other and the affected entity.
Such representatives may be co-located with the affected entity.
VI. Unified Public Communications
The Departments of Homeland Security and Justice shall maintain and update
as necessary a fact sheet outlining how private individuals and organizations
can contact relevant Federal agencies about a cyber incident.
VII. Relationship to Existing Policy
Nothing in this directive alters, supersedes, or limits the authorities of
Federal agencies to carry out their functions and duties consistent with
applicable legal authorities and other Presidential guidance and directives.
This directive generally relies on and furthers the implementation of existing
policies and explains how United States cyber incident response structures
interact with those existing policies. In particular, this policy complements
and builds upon PPD-8 on National Preparedness of March 30, 2011. By integrating
cyber and traditional preparedness efforts, the Nation will be ready to manage
incidents that include both cyber and physical effects.
1 Additional details regarding the Federal Governmentâs
coordination architecture for significant cyber incidents are contained in
an annex to this PPD.
2 This sub-section supersedes NSPD-54/HSPD-23, paragraph 13, concerning the
National Cyber Response Coordination Group.
July 26, 2016
Annex for Presidential Policy Directive -- United States Cyber Incident
SUBJECT: Federal Government Coordination Architecture for Significant
This annex to PPD-41, United States Cyber Incident Coordination Policy, provides
further details concerning the Federal Government coordination architecture
for significant cyber incidents and prescribes certain implementation tasks.
II. Coordination Architecture
A. National Policy Coordination
The Cyber Response Group (CRG) shall be chaired by the Special Assistant
to the President and Cybersecurity Coordinator (Chair), or an equivalent
successor, and shall convene on a regular basis and as needed at the request
of the Assistant to the President for Homeland Security and Counterterrorism
and Deputy National Security Advisor. Federal departments and agencies,
including relevant cyber centers, shall be invited to participate in the
CRG, as appropriate, based on their respective roles, responsibilities, and
expertise or in the circumstances of a given incident or grouping of incidents.
CRG participants shall generally include senior representatives from
the Departments of State, the Treasury, Defense (DOD), Justice (DOJ), Commerce,
Energy, Homeland Security (DHS) and its National Protection and Programs
Directorate, and the United States Secret Service, the Joint Chiefs
of Staff, Office of the Director of National Intelligence, the Federal Bureau
of Investigation, the National Cyber Investigative Joint Task Force, the
Central Intelligence Agency, and the National Security Agency. The
Federal Communications Commission shall be invited to participate should
the Chair assess that its inclusion is warranted by the circumstances and
to the extent the Commission determines such participation is consistent
with its statutory authority and legal obligations.
The CRG shall:
Coordinate the development and implementation of the Federal
Governmentâs policies, strategies, and procedures for
responding to significant cyber incidents;
Receive regular updates from the Federal cybersecurity centers and agencies
on significant cyber incidents and measures being taken to resolve or respond
to those incidents;
Resolve issues elevated to it by subordinate bodies as may be established,
such as a Cyber Unified Coordination Group (UCG);
Collaborate with the Counterterrorism Security Group and Domestic Resilience
Group when a cross-disciplinary response to a significant cyber incident
Identify and consider options for responding to significant cyber incidents,
and make recommendations to the Deputies Committee, where higher-level guidance
is required, in accordance with PPD-1 on Organization of the National Security
Council System of February 13, 2009, or any successor; and
Consider the policy implications for public messaging in response to significant
cyber incidents, and coordinate a communications strategy, as necessary,
regarding a significant cyber incident.
B. National Operational Coordination
To promote unity of effort in response to a significant cyber incident, a
Cyber UCG shall:
Coordinate the cyber incident response in a manner consistent with the principles
described in section III of this directive;
Ensure all appropriate Federal agencies, including sector-specific agencies
(SSAs), are incorporated into the incident response;
Coordinate the development and execution of response and recovery tasks,
priorities, and planning efforts, including international and cross-sector
outreach, necessary to respond appropriately to the incident and to speed
Facilitate the rapid and appropriate sharing of information and intelligence
among Cyber UCG participants on the incident response and recovery activities;
Coordinate consistent, accurate, and appropriate communications regarding
the incident to affected parties and stakeholders, including the public as
For incidents that include cyber and physical effects, form a combined UCG
with the lead Federal agency or with any UCG established to manage the physical
effects of the incident under the National Response Framework developed pursuant
to PPD-8 on National Preparedness.
SSAs shall be members of the UCG for significant cyber incidents that affect
or are likely to affect their respective sectors. As set forth in
Presidential Policy Directive 21, the SSAs for critical infrastructure sectors
are as follows: DHS (Chemical, Commercial Facilities, Communications,
Critical Manufacturing, Dams, Emergency Services, Government Facilities,
Information Technology, Nuclear Reactors, Materials, and Waste, and
Transportation Systems); DOD (Defense Industrial Base); Department of Energy
(Energy); Department of the Treasury (Financial Services); Department of
Agriculture (Food and Agriculture); Department of Health and Human Services
(Healthcare and Public Health, and Food and Agriculture); General Services
Administration (Government Facilities); Department of Transportation
(Transportation Systems); and the Environmental Protection Agency (Water
and Wastewater Systems).
A Cyber UCG shall operate in a manner that is consistent with the need to
protect intelligence and law enforcement sources, methods, operations, and
investigations, the privacy of individuals, and sensitive private sector
A Cyber UCG shall dissolve when enhanced coordination procedures for threat
and asset response are no longer required or the authorities, capabilities,
or resources of more than one Federal agency are no longer required to manage
the remaining facets of the Federal response to an incident.
III. Federal Government Response to Incidents Affecting Federal
Nothing in this directive alters an agencyâs obligations
to comply with the requirements of the Federal Information Security Modernization
Act of 2014 (FISMA) or Office of Management and Budget (OMB) guidelines related
to responding to an âincident,â
âbreach,â or âmajor
incidentâ as defined in that statute and OMB guidance.
Federal agencies shall follow OMB guidance to determine whether an
incident is considered a âmajor incidentâ
pursuant to FISMA. If the cyber incident meets the threshold for a
âmajor incident,â it is also a
âsignificant cyber incidentâ for purposes
of this directive and shall be managed in accordance with this directive.
A. Civilian Federal Networks
The Director of OMB oversees Federal agency information security policies
and practices. The Secretary of Homeland Security, in consultation
with the Director of OMB, administers the implementation of Federal agency
information security policies and practices and operates the Federal information
security incident center. The National Institute of Standards and
Technology (NIST) develops standards and guidelines for Federal information
systems that are mandatory for Federal agencies to implement.
Federal agencies shall respond to significant cyber incidents in accordance
with this directive and applicable policies and procedures, including the
reporting of incidents to DHS as required by the U.S. Computer Emergency
Readiness Team Federal incident notification guidelines.
Where the effects of a significant cyber incident are limited to the operational
activities of an individual Federal agency, that affected agency shall maintain
primary authority over the affected assets and be responsible for managing
the restoration services and related networks, systems, and applications
and making the decision to restart an affected system. DHS and other
Federal agencies shall provide support as appropriate.
Where a significant cyber incident has an impact on multiple Federal agencies
or on the integrity, confidentiality, or availability of services to the
public, the decision to restart an affected system rests with the owning
Federal agency, but OMB and the Federal lead agencies for threat and asset
response shall provide a consolidated, timely written recommendation, with
appropriate caveats and conditions, to help inform that owning
B. DOD Information Network
The Secretary of Defense shall be responsible for managing the threat and
asset response to cyber incidents affecting the Department of Defense Information
Network, including restoration activities, with support from other Federal
agencies as appropriate.
C. Intelligence Community Networks
The Director of National Intelligence shall be responsible for managing the
threat and asset response for the integrated defense of the Intelligence
Community (IC) information environment through the Intelligence Community
Security Coordination Center, in conjunction with IC mission partners and
with support from other Federal agencies, as appropriate.
IV. Implementation and Assessment
Federal agencies shall take the following actions to implement this directive:
Within 90 days of the date of this directive, the National Security Council
(NSC) staff shall update the CRG charter to account for and support the policy
set forth herein, which shall be submitted to the President through the Assistant
to the President for Homeland Security and Counterterrorism.
B. Enhanced Coordination Procedures
Each Federal agency that regularly participates in the CRG, including SSAs,
shall ensure that it has the standing capacity to execute its role in cyber
incident response. To prepare for situations in which the demands of
a significant cyber incident exceed its standing capacity, each such agency
shall, within 90 days of the date of this directive, establish enhanced
coordination procedures that, when activated, bring dedicated leadership,
supporting personnel, facilities (physical and communications), and internal
processes enabling it to manage a significant cyber incident under demands
that would exceed its capacity to coordinate under normal operating conditions.
Within 90 days of the date of this directive, the SSAs shall develop or update
sector-specific procedures, as needed and in consultation with the sector(s),
for enhanced coordination to support response to a significant cyber incident,
consistent with this directive.
Enhanced coordination procedures shall identify the appropriate pathways
for communicating with other Federal agencies during a significant cyber
incident, including the relevant agency points-of-contact, and for notifying
the CRG that enhanced coordination procedures were activated or initiated;
highlight internal communications and decisionmaking processes that are
consistent with effective incident coordination; and outline processes for
maintaining these procedures.
In addition, each Federal agencyâs enhanced coordination
procedures shall identify the agencyâs processes and existing
capabilities to coordinate cyber incident response activities in a manner
consistent with this directive. The procedures shall identify a trained
senior executive to oversee that agencyâs participation
in a Cyber UCG. SSAs shall have a trained senior executive for each
of the sectors for which it is the designated SSA under Presidential Policy
Within 120 days of the date of this directive, the SSAs shall coordinate
with critical infrastructure owners and operators to synchronize sector-specific
planning consistent with this directive.
Within 150 days of the date of this directive, the Federal Emergency Management
Agency shall make necessary updates to its existing Unified Coordination
training to incorporate the tenets of this directive.
Within 150 days of the date of this directive, Federal agencies shall update
cyber incident coordination training to incorporate the tenets of this directive.
Federal agencies shall identify and maintain a cadre of personnel qualified
and trained in the National Incident Management System and Unified Coordination
to manage and respond to a significant cyber incident. These personnel
will provide necessary expertise to support tasking and decisionmaking by
a Cyber UCG.
Within 180 days of the date of this directive, Federal agencies shall incorporate
the tenets of this policy in cyber incident response exercises. This
will include exercises conducted as part of the National Exercise Program.
Exercises shall be conducted at a frequency necessary to ensure Federal agencies
are prepared to execute the plans and procedures called for under this
directive. When appropriate, exercises shall consider the effectiveness
of the end-to-end information sharing process.
E. Cyber UCG Post-Incident Review
Upon dissolution of each Cyber UCG, the Chair of the CRG shall direct a review
of a Cyber UCGâs response to a significant cyber incident
at issue and the preparation of a report based on that review to be provided
to the CRG within 30 days. Federal agencies shall modify any plans
or procedures for which they are responsible under this directive as appropriate
or necessary in light of that report.
F. National Cyber Incident Response Plan
Within 180 days of the date of this directive, DHS and DOJ, in coordination
with the SSAs, shall submit a concept of operations for the Cyber UCG to
the President, through the Assistant to the President for Homeland Security
and Counterterrorism and the Director of OMB, that is consistent with the
principles, policies, and coordination architecture set forth in this
directive. This concept of operations shall further develop how the
Cyber UCG and field elements of the Federal coordination architecture will
work in practice for significant cyber incidents, including mechanisms for
coordinating with Federal agencies managing the physical effects of an incident
that has both cyber and physical elements and for integration of private
sector entities in response activities when appropriate. The Secretary
of Homeland Security shall, as appropriate, incorporate or reference this
concept of operations in the Cyber Incident Annex required by section 205
of the Cybersecurity Act of 2015.
Within 180 days of the date of this directive, the Secretary of Homeland
Security, in coordination with the Attorney General, the Secretary of Defense,
and the SSAs, shall submit a national cyber incident response plan to address
cybersecurity risks to critical infrastructure to the President, through
the Assistant to the President for Homeland Security and Counterterrorism
and the Director of OMB, that is consistent with the principles, policies,
and coordination architecture set forth in this directive. The Secretary
of Homeland Security shall ensure that the plan satisfies section 7 of the
National Cybersecurity Protection Act of 2014. This plan shall be developed
in consultation with SLTT governments, sector coordinating councils, information
sharing and analysis organizations, owners and operators of critical
infrastructure, and other appropriate entities and individuals. The
plan shall take into account how these stakeholders will coordinate with
Federal agencies to mitigate, respond to, and recover from cyber incidents
affecting critical infrastructure.