CISA
Critical infrastructure
News
SOC & Incident Response
Threat Landscape
Vulnerabilities

CISA unveils NCIRP 2024 to address evolving threats, deliver unified approach to cyber incident response

October 24, 2023
CISA unveils NCIRP 2024 to address evolving threats, deliver unified approach to cyber incident response

The Cybersecurity and Infrastructure Security Agency (CISA) announced the next steps for ongoing engagement with industry and government to update the National Cyber Incident Response Plan (NCIRP). The NCIRP 2024 will address changes by incorporating lessons learned and feedback from stakeholders since the 2016 release, ensuring that the updated NCIRP is fully inclusive across non-federal stakeholders, and establishing a foundation for continued improvement of the nation’s response to significant cyber incidents. 

The NCIRP 2024 will be built using four principles, including unification, shared responsibility, learning from the past, and keeping pace with evolutions in cybersecurity. CISA recognizes that national cyber incident response requires deeply committed partnerships across all levels of government, industry, and with international partners. The NCIRP 2024 will bring together a diverse community of stakeholders to collaborate towards a more secure future.

Cybersecurity is a team sport with players across the cybersecurity ecosystem playing unique roles in national cyber incident response. “The NCIRP 2024 will challenge traditional ways of working with our partners to move toward more forward-leaning, action-oriented collaboration to realize the full potential of each player’s authorities, capabilities, and expertise.”

There have been numerous changes to the organization and authorities of federal departments and agencies, including the creation of CISA and the expansion of its authorities, the overall growth in the capacity of federal agencies to engage in significant cyber incident response, increased international collaboration around cyber incident coordination, and, most importantly, the foundational role of the private sector in responding to and managing most cyber incidents without significant support from the federal government. 

The past eight years have seen cyber incidents of unprecedented scale, impact, and sophistication, while federal departments and agencies have undergone significant changes, including the creation of CISA, expanded authorities, increased cyber incident response capacity, increased international collaboration, and the private sector’s role in managing cyber incidents without significant federal government support.

CISA said that the NCIRP 2024 will explore past cybersecurity incidents to drive improvements and enable advances to national cyber incident response coordination efforts. By gleaning lessons from recent history, the NCIRP 2024 will fortify the nation’s cyber environment, helping to safeguard it against the dynamic landscape of threats.

It also acknowledges that the cybersecurity landscape is a complex ever-evolving environment. “The NCIRP 2024 will build processes mindful of this complex environment to ensure the agility to stay ahead of changes in the environment. This approach reflects a shift to clearly defining intended outcomes and becoming more proactive. It showcases our commitment to agility in a sophisticated cybersecurity landscape by remaining vigilant and acting quickly as a collective whole.”

As directed by the President’s 2023 National Cybersecurity Strategy, CISA, in close coordination with the Office of the National Cyber Director, is embarking on a process to gather input from public and private sector partners– including the federal interagency, Sector Risk Management Agencies (SRMAs), regulators, and critical infrastructure organizations, to identify key changes for incorporation into the updated NCIRP.

The NCIRP 2024 planning initiative is part of the JCDC (Joint Cyber Defense Collaborative) Planning Agenda, bringing together government and the private sector to execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration. As directed by the National Cybersecurity Strategy, the updated NCIRP is scheduled to be approved and published by the end of the calendar year 2024. 

Published in 2016, the NCIRP is the nation’s framework for coordinated response to significant cyber incidents. Since then, the cybersecurity threat landscape and national response ecosystem have changed. 

Apart from addressing the changes in the cyber defense ecosystem and evolving cyber threats, the NCIRP 2024 planning effort will bring together a community of stakeholders, including interagency partners, SRMAs, regulators, and non-federal stakeholders such as the private sector, state, local, tribal, territorial (SLTT) entities, and international partners. 

Through the JCDC, CISA will work to ensure that the updated NCIRP addresses significant changes in policy and cyber operations since the initial NCIRP was released, including the establishment of CISA and ONCD (Office of the National Cyber Director); maturation of private sector incident response and coordination capabilities; increased international collaboration around cyber incident response and coordination; shifts in the threat environment, including the ongoing ransomware threats and advances in adversary capabilities; and new authorities, policies, and coordination mechanisms.

“Over the past seven years, the cybersecurity landscape has changed dramatically, and our doctrine around cyber incident response and coordination must evolve as well,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a recent media statement. “Our approach to update the NCIRP will be grounded in transparency and collaboration, recognizing that the private sector is often the first responder to many cyber incidents and that adversary campaigns increasingly transcend national borders.” 

Goldstein added “our goal is for the NCIRP to provide an agile, actionable framework that can be actively used by every organization involved in cyber incident response to ensure coherent coordination that matches the pace of our adversaries. The success of this effort depends on the involvement of our partners – our output will only be as good as our input. Through our shared efforts, we will build a new NCRIP that helps our nation and our allies more effectively respond to and recover from cyber incidents in a manner that reduces harm to every possible victim.”

“Achieving the vision set forth in the President’s National Cybersecurity Strategy, which includes shifting the burden and responsibility away from small organizations and onto those more capable actors, requires us – the federal government and our largest private sector partners – to be collaborative, agile and responsive to the evolving threat landscape,” according to Christopher DeRusha, federal CISO and deputy National Cyber Director. “Working to improve the National Cyber Incident Response Plan is vital to that effort.”

CISA is planning to use a variety of mechanisms to engage with its federal, private sector, SLTT governments, and international partners. Engagement mechanisms may include one-on-one meetings, group listening sessions, briefings, and discussions at conferences, or other standing meetings. The agency will take a phased approach to this effort building iteratively on each phase as they inform the process and illuminate areas for improvement in the NCIRP 2024. 

CISA is currently in the ‘Planning Initiation’ phase to solicit insights that will support the development of the NCIRP 2024. Stakeholder engagement with federal partners began in September and CISA plans to continue engaging additional stakeholders across the private sector, SLTT governments, and international partners through November. The initial engagement process is intended to collect insights on the planning process, based on lessons learned since 2016; identify opportunities for improving public-private significant cyber incident response and coordination, and gauge stakeholders’ interest in participating in the NCIRP 2024 Core Planning Team (CPT).

The NCIRP 2024 CPT will then transition to the ‘Planning and Development’ phase in December, which will include a series of CPT working meetings or writing sessions to produce a draft of the NCIRP 2024 with regular input from federal, private sector, SLTT governments, and international stakeholders. The revised draft will be published for a public comment period to ensure relevant stakeholders have ample opportunity to provide input prior to publication. Upon adjudication of final comments, the NCIRP will be published and socialized across the cybersecurity community. 

Earlier this month, the CISA introduced two new resources to combat ransomware campaigns, as part of the Ransomware Vulnerability Warning Pilot (RVWP). These initiatives include a designated ‘Known to be Used in Ransomware Campaigns’ section in the Known Exploited Vulnerability (KEV) catalog, pinpointing KEVs linked with ransomware campaigns; and an inclusive table on StopRansomware.gov titled ‘Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns.’

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings