White House Issues Policy Directive on Cyber Incident Coordination | Practical Law

White House Issues Policy Directive on Cyber Incident Coordination | Practical Law

President Obama has approved a Presidential Policy Directive (PPD-41) on US Cyber Incident Coordination. This PPD codifies the policy that governs the federal government's response to significant cyber incidents in the public and private sectors.

White House Issues Policy Directive on Cyber Incident Coordination

Practical Law Legal Update w-002-8872 (Approx. 4 pages)

White House Issues Policy Directive on Cyber Incident Coordination

by Practical Law Intellectual Property & Technology
Published on 27 Jul 2016USA (National/Federal)
President Obama has approved a Presidential Policy Directive (PPD-41) on US Cyber Incident Coordination. This PPD codifies the policy that governs the federal government's response to significant cyber incidents in the public and private sectors.
On July 26, 2016, the White House issued a press release announcing the approval of Presidential Policy Directive (PPD) 41, US Cyber Incident Coordination, directed to the federal government's response to significant cyber incidents.
Continuing to advance President Obama's Cybersecurity National Action Plan, this PPD:
  • Sets out governing principles for the federal government’s response to any cyber incident, whether involving government or private sector entities.
  • Establishes lead federal agencies and an architecture for coordinating the broader federal government response when a significant cyber incident occurs.
  • Requires the US Departments of Justice and Homeland Security to maintain updated contact information for public use to assist entities affected by cyber incidents in reporting those incidents to the proper authorities.

Incident Response Principles

The PPD sets out the following principles to guide the federal government during any cyber incident response:
  • Shared Responsibility. Individuals, the private sector, and government agencies have a shared interest and complementary roles and responsibilities in protecting against malicious cyber activity and managing cyber incidents and their consequences.
  • Risk-Based Response. The federal government will determine its response actions and resource needs based on a risk assessment of affected entities, national security interests, foreign relations, or economy of the US.
  • Respecting Affected Entities. Federal government responders will safeguard details of the incident, as well as privacy and civil liberties, and sensitive private sector information.
  • Unity of Effort. Whichever federal agency first becomes aware of a cyber incident will rapidly notify other relevant federal agencies to facilitate a unified response and ensure that the right combination of agencies responds to a particular incident.
  • Enabling Restoration and Recovery. Federal agencies will conduct response activities to support restoration and recovery of an entity that has experienced a cyber incident. Responders will seek to balance investigative and national security requirements with the need to return to normal operations as quickly as possible.

Lead Agency Designations

To establish accountability and enhance clarity, the PPD establishes three lead agencies to organize federal response activities:
  • The Department of Justice, acting through the FBI and the National Cyber Investigative Joint Task Force, will be the federal lead agency for threat response activities. Threat response activities include the law enforcement and national security investigation of a cyber incident, such as:
    • collecting evidence;
    • linking related incidents;
    • gathering intelligence;
    • identifying opportunities for threat pursuit and disruption; and
    • providing attribution.
  • The Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center, will be the federal lead agency for asset response activities. Asset response activities include:
    • providing technical assets and assistance to mitigate vulnerabilities and reduce the impact of an incident;
    • identifying and assessing the risk posed to other entities and mitigating those risks; and
    • giving guidance on how to leverage federal resources and capabilities.
  • The Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, will be the federal lead agency for intelligence support and related activities. Intelligence support and related activities include intelligence collection in support of investigations and integrated analysis of threat trends and events to:
    • build situational awareness;
    • identify knowledge gaps; and
    • improve abilities to degrade or mitigate threats.

Cyber Incident Severity Schema

In connection with the PPD, the US Federal Cybersecurity Centers have also adopted a common schema for describing the severity of cyber incidents. This six-level schema ranges from the Baseline Level 0 (an unsubstantiated or inconsequential event) to Emergency Level 5 (the incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government services, or the lives of US citizens). The schema is useful to ensure that all stakeholders have a common view of the:
  • Severity of a given incident.
  • Urgency required for responding to a given incident.
  • Seniority level necessary for coordinating response efforts.
  • Level of investment required for response efforts.