CISA pitches updated cyber incident response plan as an \u2018agile, actionable\u2019 framework | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-national-cyber-incident-response-plan-comments\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA pitches updated cyber incident response plan as an \u2018agile, actionable\u2019 framework\"> <meta property=\"og:description\" content=\"The agency is seeking public comment on its much-anticipated draft update to 2016\u2019s PPD-41.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-national-cyber-incident-response-plan-comments\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-12-16T20:00:41+00:00\"> <meta property=\"article:modified_time\" content=\"2024-12-16T20:00:42+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg\"> <meta property=\"og:image:width\" content=\"2121\"> <meta property=\"og:image:height\" content=\"1414\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1730999764g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82919\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82919\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-national-cyber-incident-response-plan-comments%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-national-cyber-incident-response-plan-comments%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82919 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-national-cyber-incident-response-plan-comments\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.375\">\n<div class=\"single-article__header-content\" readability=\"32.727272727273\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/cisa-national-cyber-incident-response-plan-comments\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> The agency is seeking public comment on its much-anticipated draft update to 2016\u2019s PPD-41. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82919\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg 2121w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"39.678861788618\"><body readability=\"81.511860832894\"><\/p>\n<p>The Cybersecurity and Infrastructure Security Agency on Monday opened a <a href=\"https:\/\/www.federalregister.gov\/documents\/2024\/12\/16\/2024-29395\/request-for-comment-on-the-national-cyber-incident-response-plan-update\">month-long public comment period<\/a> for its updated draft plan detailing how the public and private sectors should respond to significant cyber incidents.<\/p>\n<p>The revamped <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2024-12\/NCIRP%20Update%20Public%20Comment%20Draft%20508c.pdf\">National Cyber Incident Response Plan<\/a> \u2014 an effort from CISA, the agency\u2019s <a href=\"https:\/\/cyberscoop.com\/tag\/joint-cyber-defense-collaborative\/\">Joint Cyber Defense Collaborative<\/a> and the Office of the National Cyber Director \u2014 builds on 2016\u2019s <a href=\"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2016\/07\/26\/presidential-policy-directive-united-states-cyber-incident\">Presidential Policy Directive-41<\/a>, a pre-CISA document that provided a framework for how the federal government, private sector, international partners and state, local, tribal and territorial (SLTT) governments collectively respond to cyber incidents.<\/p>\n<p>The updated NCIRP, which was called for in the Biden administration\u2019s <a href=\"https:\/\/www.whitehouse.gov\/oncd\/national-cybersecurity-strategy\/\">2023 national cybersecurity strategy<\/a>, was compiled after years of \u201cbroad and extensive engagement\u201d CISA said it had with Sector Risk Management Agencies, regulators, interagency partners and public- and private-sector partners, according to a release from the agency. The draft document, CISA noted, \u201cconsiders the evolution in the cyber threat landscape and lessons learned from historical incidents.\u201d<\/p>\n<p>In a briefing with reporters Monday, Jeff Greene, CISA\u2019s executive assistant director for cybersecurity, said more than 150 cyber experts from 66 organizations were consulted in the making of the draft document, many of whom work with the JCDC. The agency also hosted three public listening sessions as part of its work on the plan.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The result of extensive work with government and industry partners, Greene said, is \u201cwhat we hope is an agile, actionable, updated framework that will provide coherent coordination that matches the pace of our adversaries and the predictable method for how to engage with us.\u201d<\/p>\n<p>The document lays out an organizational structure for national cyber incident response, carving out four lines of response (LOEs): asset response, threat response, intelligence support and affected entity response. CISA would lead coordinated efforts for asset response, while ODNI is tapped to manage intelligence support, and federal law enforcement agencies \u2014 including the Department of Justice and FBI \u2014 are supposed to handle threat response. The affected entity response depends on the impacted agency or entity.<\/p>\n<p>The draft NCIRP also assigns coordinating responsibilities to various federal agencies and offices for specific incidents, breaks down the key activities and decisions as part of the incident detection and response phases, and details recommended post-incident measures. <\/p>\n<p>Greene said the document is not intended to provide a \u201cblow by blow\u201d for cyber incident response, given that \u201cevery incident is going to be different.\u201d But the draft does seek to create a clearly defined path for non-federal stakeholders to have a say in coordinating efforts, Greene said, in addition to \u201cstreamlining content and aligning it to the operational life cycle, incorporating relevant legal and policy changes that impact agency roles and responsibilities\u201d and establishing a \u201cpredictable life cycle\u201d for future updates.<\/p>\n<p>Giving the private sector a voice in the writing of the NCIRP was \u201cessential from day one,\u201d Greene said, and that input will continue \u201cto be essential going forward.\u201d Industry leaders haven\u2019t been shy about pushing the Biden administration to pare down on <a href=\"https:\/\/cyberscoop.com\/hearing-cyber-regulations-harmonization\/\">duplicative<\/a> and <a href=\"https:\/\/cyberscoop.com\/congress-cybersecurity-harmonization-oncd-report\/\">overly burdensome<\/a> cyber regulations.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cOne of the things that we heard pretty loud and clear was the interest that private-sector companies had in knowing where, when and how they plug in with us in the federal government,\u201d he said, adding that CISA tried to \u201cbuild some predictability into the process.\u201d<\/p>\n<p>Comments on the updated draft are due by Jan. 15, 2025. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.8625592417062\">\n<div class=\"author-card\" readability=\"15\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework-1.jpg?w=640&ssl=1\" alt=\"Matt Bracken\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Bracken<\/h4>\n<p> Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-national-cyber-incident-response-plan-comments\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA pitches updated cyber incident response plan as an \u2018agile,<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1209,78,452,2069,3340,1903,3341],"tags":[668,86,454,2071,3342,1904,3343],"class_list":["post-6627","post","type-post","status-publish","format-standard","hentry","category-cisa","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-joint-cyber-defense-collaborative-jcdc","category-national-cyber-incident-response-plan","category-odni","category-oncd","tag-cisa","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-joint-cyber-defense-collaborative-jcdc","tag-national-cyber-incident-response-plan","tag-odni","tag-oncd"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cisa\/\" rel=\"category tag\">CISA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/joint-cyber-defense-collaborative-jcdc\/\" rel=\"category tag\">Joint Cyber Defense Collaborative (JCDC)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/national-cyber-incident-response-plan\/\" rel=\"category tag\">National Cyber Incident Response Plan<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/odni\/\" rel=\"category tag\">ODNI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/oncd\/\" rel=\"category tag\">ONCD<\/a>","tag_info":"ONCD","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6627","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6627"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6627\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6627"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6627,"date":"2024-12-16T14:00:41","date_gmt":"2024-12-16T20:00:41","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82919"},"modified":"2024-12-16T14:00:41","modified_gmt":"2024-12-16T20:00:41","slug":"cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/12\/16\/cisa-pitches-updated-cyber-incident-response-plan-as-an-agile-actionable-framework\/","title":{"rendered":"CISA pitches updated cyber incident response plan as an \u2018agile, actionable\u2019 framework"},"content":{"rendered":"