CISA issues cybersecurity incident, vulnerability response playbooks for federal agencies
The Cybersecurity and Infrastructure Security Agency has issued new playbooks to guide federal agencies’ response to cybersecurity incidents and software vulnerabilities.
The documents, which were published Tuesday, reinforce the Department of Homeland Security component agency’s work to formalize the communications processes and action plans federal agencies turn to when a cyberattack is discovered.
Much of the new guidance is focused on the preparation required from federal departments in anticipation of future cyberattacks, which includes the monitoring of multiple sources of threat intelligence, including alerts from CISA’s EINSTEIN intrusion detection system and Continuous Diagnostics and Mitigation (CDM) program.
The new playbooks call also for civilian agencies with advanced defensive capabilities and staff to establish active defense capabilities, such as the ability to redirect an adversary to a sandbox or honeynet system.
According to CISA, such defense systems allow it, along with other law enforcement agencies, to gain a more in-depth understanding of attackers’ methodologies, which can substantially increase the efficacy of the government’s response.
The new playbooks also underscore the importance of having plans to coordinate the response to a cyber incident or vulnerability internally and between agencies on out-of-band platforms. Staff will need to communicate by phone or chat rather than by email and ensure these systems can remain operational, even when core systems are taken offline.
“These playbooks provide federal civilian executive branch (FCEB) agencies with a standard set of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting FCEB systems, data, and networks,” said CISA. “Building on lessons learned from previous incidents and incorporating industry best practices, CISA intends for these playbooks to evolve the federal government’s practices for cybersecurity response through standardizing shared practices that bring together the best people and processes to drive coordinated actions.”