Cyber Incident Response


When cyber incidents occur, the Department of Homeland Security (DHS) provides assistance to potentially impacted entities, analyzes the potential impact across critical infrastructure, investigates those responsible in conjunction with law enforcement partners, and coordinates the national response to significant cyber incidents. The Department works in close coordination with other agencies with complementary cyber missions, as well as private sector and other non-federal owners and operators of critical infrastructure, to ensure greater unity of effort and a whole-of-nation response to cyber incidents.

CISA Central

CISA Central's mission is to reduce the risk of systemic cybersecurity and communications challenges in our role as the Nation's flagship cyber defense, incident response, and operational integration center. Since 2009,CISA Central has served as a national hub for cyber and communications information, technical expertise, and operational integration, and by operating our 24/7 situational awareness, analysis, and incident response center.

CISA Central brings advanced network and digital media analysis expertise to bear on malicious activity targeting our nation's networks. CISA Central develops timely and actionable information for distribution to federal departments and agencies, state and local governments, private sector organizations, and international partners. CISA Central also operates the National Cybersecurity Protection System (NCPS), which provides intrusion detection and prevention capabilities to covered federal departments and agencies.

CISA Central’s National Cybersecurity Assessment and Technical Services (NCATS) offers cybersecurity scanning and testing services that identify vulnerabilities within stakeholder networks and provide risk analysis reports with actionable remediation recommendations. These critical services enable proactive mitigation to exploitable risks and include network (wired and wireless) mapping and system characterization; vulnerability scanning and validation; threat identification and evaluation; social engineering, application, database, and operating system configuration review; and incident response testing. For more information, email NCATS_Info@DHS.gov.

CISA Central’s National Coordinating Center for Communications (NCC) leads and coordinates the initiation, restoration, and reconstitution of national security and emergency preparedness telecommunications services and/or facilities under all conditions. NCC leverages partnerships with government, industry and international partners to obtain situational awareness and determine priorities for protection and response.

Reporting Cyber Incidents to the Federal Government

Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government

Presidential Policy Directive (PPD)/PPD-41, United States Cyber Incident Coordination, outlines the roles federal agencies play during a significant cyber incident. The Department of Homeland Security (DHS) is unique among agencies in that it plays a major role in both asset response and threat response. Asset response focuses on the assets of the victim or potential targets of malicious activity, while threat response includes identifying, pursuing, and disrupting malicious cyber actors and activity.

DHS is the lead agency for asset response during a significant cyber incident. The department’s National Cybersecurity and Communications Center (NCCIC) assists asset owners in mitigating vulnerabilities, identifies other entities that may be at risk, and shares information across the public and private sectors to protect against similar incidents in the future. The Department of Justice, through the FBI and the NCIJTF, is the lead agency for threat response during a significant incident, with DHS’s investigative agencies—the Secret Service and ICE/HSI - playing a crucial role in criminal investigations.

This fact sheet, Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government, explains when, what, and how to report a cyber incident to the federal government.

National Cyber Incident Response Plan (NCIRP)

The NCIRP describes a national approach to cyber incidents, delineating the important role that private sector entities, state and local governments, and multiple federal agencies play in responding to incidents and how those activities all fit together. This updated plan applies to cyber incidents and more specifically significant cyber incidents that are likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

The NCIRP reflects and incorporates lessons learned from exercises and cyber incidents, and policy and statutory updates, such as Presidential Policy Directive (PPD) 41 on Cyber Incident Coordination Policy and the National Cybersecurity Protection Act of 2014. The NCIRP leverages principles from the National Preparedness System and was developed in coordination with the Departments of Justice and Defense, the Sector Specific Agencies and other interagency partners, representatives from across 16 critical infrastructure sectors, the private sector, and state and local governments.

To learn more about the NCIRP, please visit the US-CERT NCIRP page.

Incident Response Training

To support the capacity of our nation’s cyber enterprise, CISA has developed no-cost cybersecurity incident response training for government employees and contractors across Federal, State, Local, Tribal, and Territorial government, and is open to educational and critical infrastructure partners.

The Identify, Mitigate, and Recover (IMR) incident response curriculum provides a range of training offerings for beginner, intermediate, and advanced cyber professionals encompassing basic cybersecurity awareness and best practices for organizations, live red/blue team network defense demonstrations emulating real-time incident response scenarios, and hands- on cyber range training courses for incident response practitioners. Course types include: Awareness Webinars, Cyber Range Training, Cyber Range Challenges, and Observe the Attack. With four types of courses, there are valuable learning opportunities available for everyone from cyber newbies to veteran cybersecurity engineers. 

To learn more about CISA's Incident Response Training, please visit the Incident Response Training page.

Cybersecurity Incident and Vulnerability Response Playbooks

CISA published the Cybersecurity Incident and Vulnerability Response Playbooks that provide federal civilian agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. However, CISA encourages private sector, critical infrastructure entities, and state, local, tribal and territorial governments to review them to take stock of their response processes and procedures. The playbooks are more tools for our federal partners, as well as those in industry, to ensure resilient architectures and systems, and protect against vulnerabilities being exploited.

The Incident Response Playbook applies to incidents that involve confirmed malicious cyber activity and for which a major incident has been declared or not yet been reasonably ruled out. Some examples include incidents involving lateral movement, credential access, exfiltration of data; network intrusions involving more than one user or system; or compromised administrator accounts. The playbook includes a checklist for incident response and another for incident response preparation, and both can be adapted for use by organizations outside the federal government. 

The Vulnerability Response Playbook applies to any vulnerability that is observed to be used by adversaries to gain unauthorized entry (i.e., known exploited vulnerability) into computing resources. It builds on CISA’s Binding Operational Directive 22-01 by standardizing the high-level process that agencies should follow when responding to these vulnerabilities that pose significant risk across the federal government. This playbook includes a checklist, which can easily be adapted by non-federal organizations, to track appropriate vulnerability response activities in four phases to completion.  

Click here for a downloadable version of the Federal Government Cybersecurity Incident & Vulnerability Response Playbooks.
Last Updated Date: November 16, 2021

Was this webpage helpful?  Yes  |  Somewhat  |  No