debugging

THE U.S. FEDERAL

GOVERNMENT RESPONSE TO A

CYBER INCIDENT
In July, the White House released a Presidential Policy Directive (PPD) on United
States Cyber Incident Coordination1 2, answering longstanding questions about
how the U.S. Federal Government will coordinate its response to cyber incidents.
The Digital Futures Project at the Wilson Center has debugged the directive for you.

A CYBER INCIDENT is defined as an event occurring on or conducted through a computer network that actually
or imminently jeopardize the integrity, confidentiality, or availability of computers, information or communications
systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information
resident thereon.1
A SIGNIFICANT CYBER INCIDENT is defined as a cyber incident that is (or group of related cyber incidents that
together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy
of the United States or to the public confidence, civil liberties, or public health and safety of the American people.1

SHARED RESPONSIBILITY:
Everyone has a stake in protecting the
U.S. from cyber threats: individual
citizens, the private sector and
government.

RISK-BASED RESPONSE:
Any response (and resources required
to respond) will be determined by an
assessment of the risk posed on a
domestic and international level.

ENABLING RESTORATION & RECOVERY:

All government response will work to
facilitate restoration and recovery of an
affected entity.

WHAT
GUIDES
U.S.
GOVERNMENT
RESPONSE

UNITY OF GOVERNMENT EFFORT:

While different government
departments and agencies posess
different roles and responsibilities,
interagency coordination is critical in
achieving optimal results.

RESPECTING AFFECTED ENTITIES:

Federal Government responders will safeguard: details
of the incident, privacy and civil liberties, and sensitive
private sector information. If there is significant
government interest in issuing a public statement,
coordination will occur with affected entities.

HOW THE U.S. GOVERNMENT RESPONDS

ASSET RESPONSE

INTELLIGENCE SUPPORT

This includes tactics to investigate,

attribute and mitigate the impact of a
cyber incident through evidence
collection, identifying affected
entities and developing a course of
action. LEAD AGENCY: Department
of Justice through the FBI and the
National Cyber Investigative Joint Task
Force.

This includes providing technical

assistance to affected entities and
reducing the impact of a cyber incident.
Asset response additionally provides
guidance on best using Federal
resources. LEAD AGENCY: Department
of Homeland Security through the
National Cybersecurity and
Communications Integration Center.

This includes facilitating situational

threatawareness, sharing related
intelligence, analysis of threat trends,
identification of knowledge gaps and
the ability to mitigate adversary threat capabilities. LEAD AGENCY: Office of the
Director of National Intelligence through
the CyberThreat Intelligence Integration
Center.

RESPONSIBILITIES

THREAT RESPONSE

In working towards NATIONAL POLICY COORDINATION, the National Security Council will chair an
interagency Cyber Response Group (CRG) to coordinate and develop U.S. policy in regards to significant
cyber incidents.

In working towards NATIONAL OPERATIONAL COORDINATION, a Cyber Unified Coordination Group

(UCG) will be created if a significant cyber incident occurs. The Cyber UCG will coordinate the response
efforts outlined above. To increase the effectiveness of a Cyber UCG, Federal lead agencies will work
alongside relevant Sector-Specific Agencies (SSAs), all levels of government, international counterparts
and private sector entitites.

In working towards FIELD-LEVEL COORDINATION, lead Federal agencies (DoJ, DHS and ODNI) will
coordinate interactions with each other and the affected entity.

Sources
1
2

https://www.whitehouse.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident
https://www.whitehouse.gov/the-press-office/2016/07/26/fact-sheet-presidential-policy-directive-united-states-cyber-incident-1