The President signed a Presidential Policy Directive (PPD) this week that sets forth principles for the Federal Government’s response to any cyber incident, whether it involves other governments or private sector entities. The principles are shared responsibility, risk-based response, respecting affected entities, unity of effort, and enabling restoration and recovery. For significant cyber incidents, the PPD establishes lead federal agencies and an architecture for coordinating a broader Federal Government response to the incident.
PPD-41 also delineates government agency roles during cyber incidents. The Department of Justice (DOJ), Department of Homeland Security (DHS), the Office of the Director of National Intelligence (ODNI), and other related agencies make up the Cyber Unified Coordination Group, which will be the main go-between for responding to major cyber events. DOJ (through the FBI and the National Cyber Investigative Joint Task Force) will lead on threat response, DHS is charged with asset response, and ODNI will take the lead on the analysis and intelligence aspect of the response. For threat response, DOJ will communicate with stakeholders at an affected organization and with law enforcement to collect evidence and intelligence, stop the immediate cyber threat, and start the information sharing process with DHS. Asset response involves helping the victim find the bad actor on its system, repair the system, patch the vulnerability, reduce the risks of future incidents, and prevent the incident from happening to others.
The PPD also directs DHS to lead the effort to write the National Cyber Incident Response Plan. This Plan will set out how the federal government will work with the private sector and state, local, and territorial governments in responding to a significant cyber incident.
Presidential Policy Directive — United States Cyber Incident Coordination:
Annex for Presidential Policy Directive — United States Cyber Incident Coordination:
FACT SHEET: Presidential Policy Directive on United States Cyber Incident Coordination:
Statement by DHS Secretary Jeh Johnson: