The first draft of the updated National Cyber Incident Response Plan (NCIRP) was made public by the Cybersecurity and Infrastructure Security Agency (CISA) alongside collaborators from the Office of the National Cyber Director (ONCD) and private sector representatives of the Joint Cyber Defense Collaborative (JCDC). This significant revision represents the first update to the original plan since its inception in 2016. The 42-page draft outlines the federal response to a large-scale cyberattack affecting the national economy by detailing how agencies would coordinate their efforts, who would make key decisions, and what priorities would be set during such an event.
CISA Director Jen Easterly underscored the importance of having a seamless and effective incident response framework given today’s increasingly complex threat landscape. The updated plan integrates valuable lessons learned over the years to foster more coordinated efforts between government entities and the private sector. This draft invites public comment and feedback to further enhance its effectiveness significantly, ensuring that the plan remains relevant and robust.
Jeff Greene, executive assistant director for cybersecurity at CISA, emphasized that the updated plan was developed through extensive consultations with the private sector, including discussions on the involvement of non-federal stakeholders in cyber incident coordination. The streamlined plan now accounts for several new government agencies, including CISA itself, which were not included in the initial 2016 version. It also incorporates legal and policy updates that could affect the roles of various agencies and includes a schedule for future updates to maintain its relevance over time.
The updated NCIRP is characterized as an agile and actionable framework designed to prepare the nation for significant cyber incidents that could jeopardize economic stability, national security, and public health and safety. Greene noted that over 150 experts from 66 organizations contributed to its development, drawing on insights from three public listening sessions. The framework leverages government responses to past incidents, aiming to continually refine and improve future actions through these garnered experiences.
The longstanding wait for this update comes after calls from last year’s National Cyber Strategy for revising the NCIRP. In September 2023, CISA faced bipartisan criticism for not establishing a specific Continuity of the Economy (COTE) plan, which was a requirement from the National Defense Authorization Act for fiscal 2021. The COTE plan was intended to detail federal measures in the event of a significant cyberattack on the U.S. economy. In response, CISA’s August report argued that existing plans already sufficiently address potential economic disruptions from cyberattacks, rendering a separate COTE plan unnecessary.
This draft update to the NCIRP is open to public comments until January 15, 2025. As CISA continues to examine past incidents to extract actionable insights, it aims to create a dynamic, referenceable document for future cyber incident responders. By drawing on previous experiences, this approach is designed to ensure that each response can build on past successes, thereby continually improving national cybersecurity preparedness and response strategies.
