Standardizing the playbook for responding to cyber vulnerabilities, incidents

It is hard to quantify how much the federal government has been hobbled in its responses to cyber incidents by not having uniform procedures to identify, remediate and recover from vulnerabilities and attacks. But there is no doubt that the lack of a single set of standards makes it difficult for the Cybersecurity and Infrastructure Security Agency to track agencies’ responses, their effectiveness and their compliance with National Institute of Standards and Technology standards such as multi-factor authentication.

Section 6 of President Joe Biden’s cyber executive order aims to address this shortcoming by having CISA work with the director of the Office of Management and Budget, the Federal Chief Information Officers Council, the Federal Chief Information Security Officers Council, the director of the National Security Agency, the Attorney General and the director of National Intelligence. They are tasked with creating a standard set of operational procedures “to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting federal civilian executive branch” (FCEB) information systems.

This playbook, as the executive order names it, will incorporate all appropriate standards laid out by NIST, and lay out what milestones signify progress and completion through all phases of incident response. At the same time, the progression through those steps must allow for flexibility so it can be used for a variety of responses.

All FCEB agencies must use the playbook.

“I think having a standardized playbook for responding to incidents is incredibly important across the whole of government,” said Greg Touhill, director of the CERT Division at Carnegie Mellon University’s Software Engineering Institute, and former federal CISO in the Obama administration. “By the executive order calling that out and saying, ‘CISA, you have the lead for this,’ [it shows] you need somebody to call cadence.”

Touhill said the specification that CISA develop a cyber incident playbook will be a real game changer for federal cybersecurity. He also praised the agency’s announcement in August of the formation of the Joint Cyber Defense Collaborative to synchronize plans to address risks and facilitate coordinated action across multiple federal agencies, many state and local governments, and a vast number of private sector entities. All of that improves federal cybersecurity, he said.

To further help out, the OMB director is required to issue guidance on agency use of the playbook. Any agencies with cybersecurity vulnerability or incident response procedures that are different from those laid out in the playbook have to get prior approval from OMB and the Assistant to the President and National Security Advisor. For approval, they must demonstrate that their alternative procedures meet or exceed the standards set by the playbook.

“When you look at the way [the Executive Order] is trying to set policy, it’s not saying you have to use a particular technology — that’s where you retain flexibility,” said Michael Daniel, former special assistant to the President and cybersecurity coordinator, now the president and CEO of the Cyber Threat Alliance. “I’ve become a little more skeptical of the idea that ‘we can’t specify more because the technology changes too fast’ argument … I think there are things we now know are best practices that aren’t going to change very rapidly, so we can deploy them across the government and our critical infrastructure sectors.”

Section 6 gives CISA responsibility for creating the playbook and updating it every year. In return, the playbook gives CISA the authority to review and validate civilian agencies’ incident response and remediation results after a cyber incident.

One other standardization opportunity: the playbook shall define key terms to ensure a shared understanding across agencies of cyber incidents and the cybersecurity status of all agencies. Everyone will have a common vocabulary.

The Executive Order gives CISA 120 days from the date of its issuance to create the playbook, which will be in the middle of September.

Table of Relevant Deadlines Set in Sections 7 and 8

Sections 7 and 8 set several deadlines for immediate action, with other deadlines following their completion.

Deadline         Action Required by               Outcome       


30 days Secretary of DHS/CISA Provide to Director of OMB recommendation on implementing an Endpoint Detection and Response (EDR) initiative
75 days All civilian agencies Establish or update Memoranda of Agreement with CISA for the Continuous Diagnostics and Mitigation Program
45 days NSA Director Recommend actions to Secretary of Defense, Director of National Intelligence and the Committee on National Security Systems (CNSS) to improve detection of cyber incidents affecting those systems
90 days Secretary of Defense

Director of National Intelligence


Review recommendations for National Security systems and establish policies to implement them
90 days Director of CISA Report for OMB Director and the Assistant to the President and National Security Advisor on legal authorities for threat-hunting activities on civilian agencies’ networks that are being implemented
60 days Secretary of Defense

Secretary of DHS

OMB Director

Establish procedures for DOD and DHS to immediately share DOD Incident Response Orders or DHS Emergency Directives and Binding Operational Directives, including cross-adoption
14 days Secretary of DHS/CISA

Attorney General

Administrator, OMB Office of Electronic Government

Provide to OMB Director recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks


Related Stories

    Amelia Brust/Federal News Network

    CISA tells agencies they don’t have to go it alone on zero trust

    Read more
    AP Photo/Manuel Balce CenetaFILE - In this Feb. 25, 2015 file photo, the Homeland Security Department headquarters in northwest Washington. President Joe Biden has selected two former senior National Security Agency officials for key cyber roles in his administration.  Chris Inglis, a former NSA deputy director, is being nominated as the government's first national cyber director. Jen Easterly, a former deputy for counterterrorism at the NSA, has been tapped to run the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security. (AP Photo/Manuel Balce Ceneta, File)

    CISA looks to tie together public-private partnerships through new cyber planning office

    Read more
    (AP Photo/Lynne Sladky)FILE - In this Nov. 20, 2020, file photo a U.S. Department of Homeland Security plaque is displayed a podium as international passengers arrive at Miami international Airport where they are screened by U.S. Customs and Border Protection in Miami. The damned-if-you-pay-damned-if-you-don’t dilemma on ransomware payments has left U.S. officials fumbling about how to respond. While the Biden administration “strongly discourages” paying, it recognizes that failing to pay would be suicidal for some victims. (AP Photo/Lynne Sladky, File)

    CISA sees zero trust adoption coming into focus under cyber executive order

    Read more


Sign up for breaking news alerts