Print
Category: National News

Washington, DC - Today, the President approved a Presidential Policy Directive (PPD) on United States Cyber Incident Coordination.  This new PPD marks a major milestone in codifying the policy that governs the Federal government’s response to significant cyber incidents.

Since the beginning of his Administration, President Obama has emphasized that malicious cyber activity poses a serious threat to the national and economic security of the United States.  As set forth in the Cybersecurity National Action Plan, over the last seven and a half years the Administration’s cyber policy has been based on three strategic pillars:  raising the level of cybersecurity in our public, private, and consumer sectors, in both the short and the long-term; taking steps to deter, disrupt, and interfere with malicious cyber activity aimed at the United States or its allies; and responding effectively to and recovering from cyber incidents. 

Even as we have made progress on all three pillars, the United States has been faced with managing increasingly significant cyber incidents affecting both the private sector and Federal government.  We have applied the lessons learned from these events, as well as our experience in other areas such as counterterrorism and disaster response. That experience has allowed us to hone our approach but also demonstrated that significant cyber incidents demand a more coordinated, integrated, and structured response.  We have also heard from the private sector the need to provide clarity and guidance about the Federal government’s roles and responsibilities.   The PPD builds on these lessons and institutionalizes our cyber incident coordination efforts in numerous respects, including:

We also are releasing today a cyber incident severity schema that establishes a common framework within the Federal government for evaluating and assessing the severity of cyber incidents and will help identify significant cyber incidents to which the PPD’s coordination procedures would apply.

Incident Response Principles

The PPD outlines five principles that will guide the Federal government during any cyber incident response:

Significant Cyber Incidents

While the Federal government will adhere to the five principles in responding to any cyber incident, the PPD’s policies and procedures are aimed at a particular class of cyber incident: significant cyber incidents.  A significant cyber incident is one that either singularly or as part of a group of related incidents is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. 

When a cyber incident occurs, determining its potential severity is critical to ensuring the incident receives the appropriate level of attention.  No two incidents are the same and, particularly at the initial stages, important information, including the nature of the perpetrator, may be unknown.  

Therefore, as part of the process of developing the incident response policy, the Administration also developed a common schema for describing the severity of cyber incidents, which can include credible reporting of a cyber threat, observed malicious cyber activity, or both.  The schema establishes a common framework for evaluating and assessing cyber incidents to ensure that all Federal departments and agencies have a common view of the severity of a given incident, the consequent urgency of response efforts, and the need for escalation to senior levels.

The schema describes a cyber incident’s severity from a national perspective, defining six levels, zero through five, in ascending order of severity.  Each level describes the incident’s potential to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.  An incident that ranks at a level 3 or above on this schema is considered “significant” and will trigger application of the PPD’s coordination mechanisms. 

Lines of Effort and Lead Agencies

To establish accountability and enhance clarity, the PPD organizes Federal response activities into three lines of effort and establishes a Federal lead agency for each: 

In addition to these lines of effort, a victim will undertake a wide variety of response activities in order to maintain business or operational continuity in the event of a cyber incident.  We recognize that for the victim, these activities may well be the most important.  Such efforts can include communications with customers and the workforce; engagement with stakeholders, regulators, or oversight bodies; and recovery and reconstitution efforts.   When a Federal agency is a victim of a significant cyber incident, that agency will be the lead for this fourth line of effort.  In the case of a private victim, the Federal government typically will not play a role in this line of effort, but will remain cognizant of the victim’s response activities consistent with these principles and coordinate with the victim. 

Coordination Architecture

In order to facilitate the more coordinated, integrated response demanded by significant cyber incidents, the PPD establishes a three-tiered coordination architecture for handling those incidents:  

National Policy Level:  The PPD institutionalizes the National Security Council-chaired interagency Cyber Response Group (CRG).  The CRG will coordinate the development and implementation of United States Government policy and strategy with respect to significant cyber incidents affecting the United States or its interests abroad.

National Operational Level:  The PPD directs agencies to take two actions at the national operational level in the event of a significant cyber incident. 

Field Level:  The PPD directs the lead agencies for each line of effort to coordinate their interaction with each other and with the affected entity.

Integration with Existing Response Policy

The PPD also integrates U.S. cyber incident coordination policy with key aspects of existing Federal preparedness policy to ensure that the Nation will be ready to manage incidents that include both cyber and physical effects, such as a significant power outage resulting from malicious cyber activity.  The PPD will be implemented by the Federal government consistent with existing preparedness and response efforts. 

Implementation tasks

The PPD also directs several follow-on tasks in order to ensure its full implementation.  In particular, it requires that the Administration develop and finalize the National Cyber Incident Response Plan – in coordination with State, Local, Territorial, and Tribal governments, the private sector, and the public – to further detail how the government will manage cyber incidents affecting critical infrastructure.  It also directs DHS and DOJ to develop a concept of operations for how a Cyber UCG will operate and for the NSC to update the charter for the CRG.