It is hard to quantify how much the federal government has been hobbled in its responses to cyber incidents by not having uniform procedures to identify, remediate and recover from vulnerabilities and attacks. But there is no doubt that the lack of a single set of standards makes it difficult for the Cybersecurity and Infrastructure Security Agency to track agencies’ responses, their effectiveness and their compliance with National Institute of Standards and Technology standards such as multi-factor authentication.
Section 6 of President Joe Biden’s cyber executive order aims to address this shortcoming by having CISA work with the director of the Office of Management and Budget, the Federal Chief Information Officers Council, the Federal Chief Information Security Officers Council, the director of the National Security Agency, the Attorney General and the director of National Intelligence. They are tasked with creating a standard set of operational procedures “to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting federal civilian executive branch” (FCEB) information systems.
This playbook, as the executive order names it, will incorporate all appropriate standards laid out by NIST, and lay out what milestones signify progress and completion through all phases of incident response. At the same time, the progression through those steps must allow for flexibility so it can be used for a variety of responses.
All FCEB agencies must use the playbook.
“I think having a standardized playbook for responding to incidents is incredibly important across the whole of government,” said Greg Touhill, director of the CERT Division at Carnegie Mellon University’s Software Engineering Institute, and former federal CISO in the Obama administration. “By the executive order calling that out and saying, ‘CISA, you have the lead for this,’ [it shows] you need somebody to call cadence.”
Touhill said the specification that CISA develop a cyber incident playbook will be a real game changer for federal cybersecurity. He also praised the agency’s announcement in August of the formation of the Joint Cyber Defense Collaborative to synchronize plans to address risks and facilitate coordinated action across multiple federal agencies, many state and local governments, and a vast number of private sector entities. All of that improves federal cybersecurity, he said.
To further help out, the OMB director is required to issue guidance on agency use of the playbook. Any agencies with cybersecurity vulnerability or incident response procedures that are different from those laid out in the playbook have to get prior approval from OMB and the Assistant to the President and National Security Advisor. For approval, they must demonstrate that their alternative procedures meet or exceed the standards set by the playbook.
“When you look at the way [the Executive Order] is trying to set policy, it’s not saying you have to use a particular technology — that’s where you retain flexibility,” said Michael Daniel, former special assistant to the President and cybersecurity coordinator, now the president and CEO of the Cyber Threat Alliance. “I’ve become a little more skeptical of the idea that ‘we can’t specify more because the technology changes too fast’ argument … I think there are things we now know are best practices that aren’t going to change very rapidly, so we can deploy them across the government and our critical infrastructure sectors.”
Section 6 gives CISA responsibility for creating the playbook and updating it every year. In return, the playbook gives CISA the authority to review and validate civilian agencies’ incident response and remediation results after a cyber incident.
One other standardization opportunity: the playbook shall define key terms to ensure a shared understanding across agencies of cyber incidents and the cybersecurity status of all agencies. Everyone will have a common vocabulary.
The Executive Order gives CISA 120 days from the date of its issuance to create the playbook, which will be in the middle of September.
Table of Relevant Deadlines Set in Sections 7 and 8
Sections 7 and 8 set several deadlines for immediate action, with other deadlines following their completion.
Deadline Action Required by Outcome
Secretary of DHS/CISA
Provide to Director of OMB recommendation on implementing an Endpoint Detection and Response (EDR) initiative
All civilian agencies
Establish or update Memoranda of Agreement with CISA for the Continuous Diagnostics and Mitigation Program
Recommend actions to Secretary of Defense, Director of National Intelligence and the Committee on National Security Systems (CNSS) to improve detection of cyber incidents affecting those systems
Secretary of Defense
Director of National Intelligence
Review recommendations for National Security systems and establish policies to implement them
Director of CISA
Report for OMB Director and the Assistant to the President and National Security Advisor on legal authorities for threat-hunting activities on civilian agencies’ networks that are being implemented
Secretary of Defense
Secretary of DHS
Establish procedures for DOD and DHS to immediately share DOD Incident Response Orders or DHS Emergency Directives and Binding Operational Directives, including cross-adoption
Secretary of DHS/CISA
Administrator, OMB Office of Electronic Government
Provide to OMB Director recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks
Amelia Brust/Federal News Network
CISA tells agencies they don’t have to go it alone on zero trust