President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity tasked the U.S. Cybersecurity and Infrastructure Security Agency (CISA) with developing a standard set of operational procedures for the Federal Civilian Executive Branch (FCEB) to use when responding to incidents and vulnerabilities. CISA recently released the Cybersecurity Incident & Vulnerability Response Playbooks as a single document. While this guidance is intended for FCEBs, it may be applicable to other entities as well.
What follows is an analysis of that guidance from the perspective of a security practitioner.
Cybersecurity Incident Response Playbook: The good
The Incident Response Playbook builds on the widely used NIST 800-61 r2 Computer Security Incident Handling Guide, which is referenced by countless organizations when it comes to building incident response (IR) capabilities and carrying out IR activities. This involves standard IR phases of:
- Preparation
- Detection and analysis
- Containment
- Eradication and recovery
- Post-incident activity
- Coordination
The guidance provides comprehensive details for each IR phase so that FCEB and other organizations leveraging the playbooks can take actionable steps to improve their IR processes.