Cyber Incident Response

When cyber incidents occur, the Department of Homeland Security (DHS) provides assistance to potentially impacted entities, analyzes the potential impact across critical infrastructure, investigates those responsible in conjunction with law enforcement partners, and coordinates the national response to significant cyber incidents. The Department works in close coordination with other agencies with complementary cyber missions, as well as private sector and other non-federal owners and operators of critical infrastructure, to ensure greater unity of effort and a whole-of-nation response to cyber incidents.

CISA Central

CISA Central's mission is to reduce the risk of systemic cybersecurity and communications challenges in our role as the Nation's flagship cyber defense, incident response, and operational integration center. Since 2009,CISA Central has served as a national hub for cyber and communications information, technical expertise, and operational integration, and by operating our 24/7 situational awareness, analysis, and incident response center.

CISA Central brings advanced network and digital media analysis expertise to bear on malicious activity targeting our nation's networks. CISA Central develops timely and actionable information for distribution to federal departments and agencies, state and local governments, private sector organizations, and international partners. CISA Central also operates the National Cybersecurity Protection System (NCPS), which provides intrusion detection and prevention capabilities to covered federal departments and agencies.

CISA Central’s National Cybersecurity Assessment and Technical Services (NCATS) offers cybersecurity scanning and testing services that identify vulnerabilities within stakeholder networks and provide risk analysis reports with actionable remediation recommendations. These critical services enable proactive mitigation to exploitable risks and include network (wired and wireless) mapping and system characterization; vulnerability scanning and validation; threat identification and evaluation; social engineering, application, database, and operating system configuration review; and incident response testing. For more information, email

CISA Central’s National Coordinating Center for Communications (NCC) leads and coordinates the initiation, restoration, and reconstitution of national security and emergency preparedness telecommunications services and/or facilities under all conditions. NCC leverages partnerships with government, industry and international partners to obtain situational awareness and determine priorities for protection and response.

Reporting Cyber Incidents to the Federal Government

Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government

Presidential Policy Directive (PPD)/PPD-41, United States Cyber Incident Coordination, outlines the roles federal agencies play during a significant cyber incident. The Department of Homeland Security (DHS) is unique among agencies in that it plays a major role in both asset response and threat response. Asset response focuses on the assets of the victim or potential targets of malicious activity, while threat response includes identifying, pursuing, and disrupting malicious cyber actors and activity.

DHS is the lead agency for asset response during a significant cyber incident. The department’s National Cybersecurity and Communications Center (NCCIC) assists asset owners in mitigating vulnerabilities, identifies other entities that may be at risk, and shares information across the public and private sectors to protect against similar incidents in the future. The Department of Justice, through the FBI and the NCIJTF, is the lead agency for threat response during a significant incident, with DHS’s investigative agencies—the Secret Service and ICE/HSI - playing a crucial role in criminal investigations.

This fact sheet, Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government, explains when, what, and how to report a cyber incident to the federal government.

National Cyber Incident Response Plan (NCIRP)

The NCIRP describes a national approach to cyber incidents, delineating the important role that private sector entities, state and local governments, and multiple federal agencies play in responding to incidents and how those activities all fit together. This updated plan applies to cyber incidents and more specifically significant cyber incidents that are likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

The NCIRP reflects and incorporates lessons learned from exercises and cyber incidents, and policy and statutory updates, such as Presidential Policy Directive (PPD) 41 on Cyber Incident Coordination Policy and the National Cybersecurity Protection Act of 2014. The NCIRP leverages principles from the National Preparedness System and was developed in coordination with the Departments of Justice and Defense, the Sector Specific Agencies and other interagency partners, representatives from across 16 critical infrastructure sectors, the private sector, and state and local governments.

To learn more about the NCIRP, please visit the US-CERT NCIRP page.

Incident Response Training

To support the capacity of our nation’s cyber enterprise to “Defend Today, Secure Tomorrow” CISA has developed no-cost cybersecurity incident response training for government employees and contractors across Federal, State, Local, Tribal, and Territorial government, and is open to educational and critical infrastructure partners.

The Identify, Mitigate, and Recover (IMR) incident response curriculum provides a range of training offerings for beginner, intermediate, and advanced cyber professionals encompassing basic cybersecurity awareness and best practices for organizations, live red/blue team network defense demonstrations emulating real-time incident response scenarios, and hands- on cyber range training courses for incident response practitioners. Course types include: Awareness Webinars, Cyber Range Training, Cyber Range Challenges, and Observe the Attack. With four types of courses, there are valuable learning opportunities available for everyone from cyber newbies to veteran cybersecurity engineers. 

To learn more about CISA's Incident Response Training, please visit the Incident Response Training page.


Last Updated Date: September 7, 2021

Was this webpage helpful?  Yes  |  Somewhat  |  No