DHS clarifies cyber incident coordination responsibilities under PPD-41
- Published: Thursday, 28 July 2016 08:14
US Department Homeland Security Secretary Jeh C. Johnson has issued a statement setting out the DHS’ responsibilities under the new Presidential Policy Directive/PPD-41 on Cyber Incident Coordination.
In the statement Mr. Johnson says:
“The PPD spells out the lines of responsibility within the federal government for responses to a significant cyber incident, and specifies who to contact in the government in the event of an incident. The PPD delineates between ‘threat responses’ and ‘asset responses’. A threat response essentially involves investigating the crime, so that we can hunt down the bad actor. As the PPD spells out, federal law enforcement is the key point of contact for a threat response. The Department of Homeland Security, through our cybersecurity experts at the National Cybersecurity and Communications Integration Center, will act as the point of contact and lead coordinator for asset response. Asset response, like a threat response, is crucial. It involves helping the victim find the bad actor on its system, repair its system, patching the vulnerability, reducing the risks of future incidents, and preventing the incident from spreading to others.
“Finally, the PPD directs the Department of Homeland Security to lead the effort to write the National Cyber Incident Response Plan. This Plan will set out how the federal government will work with the private sector and state, local, and territorial governments in responding to a significant cyber incident.”
PPD-41 outlines five principles that will guide the Federal government during any cyber incident response. These are:
- Shared Responsibility: individuals, the private sector, and government agencies have a shared vital interest and complementary roles and responsibilities in protecting the US from malicious cyber activity and managing cyber incidents and their consequences.
- Risk-Based Response: the Federal government will determine its response actions and resource needs based on an assessment of the risks posed to an entity, national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.
- Respecting Affected Entities: Federal government responders will safeguard details of the incident, as well as privacy and civil liberties, and sensitive private sector information.
- Unity of Effort: whichever Federal agency first becomes aware of a cyber incident will rapidly notify other relevant Federal agencies in order to facilitate a unified Federal response and ensure that the right combination of agencies responds to a particular incident.
- Enabling Restoration and Recovery: federal response activities will be conducted in a manner to facilitate restoration and recovery of an entity that has experienced a cyber incident, balancing investigative and national security requirements with the need to return to normal operations as quickly as possible.