Cyber Incident Response

When cyber incidents occur, the Department of Homeland Security (DHS) provides assistance to potentially impacted entities, analyzes the potential impact across critical infrastructure, investigates those responsible in conjunction with law enforcement partners, and coordinates the national response to significant cyber incidents. The Department works in close coordination with other agencies with complementary cyber missions, as well as private sector and other non-federal owners and operators of critical infrastructure, to ensure greater unity of effort and a whole-of-nation response to cyber incidents.

National Cybersecurity and Communications Integration Center (NCCIC)

The National Cybersecurity and Communications Integration Center's (NCCIC) mission is to reduce the risk of systemic cybersecurity and communications challenges in our role as the Nation's flagship cyber defense, incident response, and operational integration center. Since 2009, the NCCIC has served as a national hub for cyber and communications information, technical expertise, and operational integration, and by operating our 24/7 situational awareness, analysis, and incident response center.

NCCIC brings advanced network and digital media analysis expertise to bear on malicious activity targeting our nation's networks. NCCIC develops timely and actionable information for distribution to federal departments and agencies, state and local governments, private sector organizations, and international partners. NCCIC also operates the National Cybersecurity Protection System (NCPS), which provides intrusion detection and prevention capabilities to covered federal departments and agencies.

NCCIC’s National Cybersecurity Assessment and Technical Services (NCATS) offers cybersecurity scanning and testing services that identify vulnerabilities within stakeholder networks and provide risk analysis reports with actionable remediation recommendations. These critical services enable proactive mitigation to exploitable risks and include network (wired and wireless) mapping and system characterization; vulnerability scanning and validation; threat identification and evaluation; social engineering, application, database, and operating system configuration review; and incident response testing. For more information, email

NCCIC’s National Coordinating Center for Communications (NCC) leads and coordinates the initiation, restoration, and reconstitution of national security and emergency preparedness telecommunications services and/or facilities under all conditions. NCC leverages partnerships with government, industry and international partners to obtain situational awareness and determine priorities for protection and response.

Reporting Cyber Incidents to the Federal Government

Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government

Presidential Policy Directive (PPD)/PPD-41, United States Cyber Incident Coordination, outlines the roles federal agencies play during a significant cyber incident. The Department of Homeland Security (DHS) is unique among agencies in that it plays a major role in both asset response and threat response. Asset response focuses on the assets of the victim or potential targets of malicious activity, while threat response includes identifying, pursuing, and disrupting malicious cyber actors and activity.

DHS is the lead agency for asset response during a significant cyber incident. The department’s National Cybersecurity and Communications Center (NCCIC) assists asset owners in mitigating vulnerabilities, identifies other entities that may be at risk, and shares information across the public and private sectors to protect against similar incidents in the future. The Department of Justice, through the FBI and the NCIJTF, is the lead agency for threat response during a significant incident, with DHS’s investigative agencies—the Secret Service and ICE/HSI - playing a crucial role in criminal investigations.

This fact sheet, Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government, explains when, what, and how to report a cyber incident to the federal government.

National Cyber Incident Response Plan (NCIRP)

The NCIRP describes a national approach to cyber incidents, delineating the important role that private sector entities, state and local governments, and multiple federal agencies play in responding to incidents and how those activities all fit together. This updated plan applies to cyber incidents and more specifically significant cyber incidents that are likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

The NCIRP reflects and incorporates lessons learned from exercises and cyber incidents, and policy and statutory updates, such as Presidential Policy Directive (PPD) 41 on Cyber Incident Coordination Policy and the National Cybersecurity Protection Act of 2014. The NCIRP leverages principles from the National Preparedness System and was developed in coordination with the Departments of Justice and Defense, the Sector Specific Agencies and other interagency partners, representatives from across 16 critical infrastructure sectors, the private sector, and state and local governments.

To learn more about the NCIRP, please visit the US-CERT NCIRP page.


Last Updated Date: October 27, 2020

Was this document helpful?  Yes  |  Somewhat  |  No