1. Collaborate with Other Agencies and the Private Sector
One of the common themes throughout the wave of new guidance we’ve seen this year has been a call to develop more collaborative relationships between federal agencies on cybersecurity matters. Large-scale incidents often involve more than one agency, and advance planning and information sharing leads to a more coordinated and effective response to emerging incidents.
The Joint Cyber Defense Collaborative brings together the federal military and law enforcement communities along with state and local partners to coordinate planning efforts, facilitate information sharing, and conduct exercises and assessments designed to measure the effectiveness of the nation’s cybersecurity defenses.
President Joe Biden is also calling for federal agencies to remove barriers to collaboration with the private sector firms that operate critical technology infrastructure. In a May 12 executive order, he called upon federal agencies to remove contractual barriers to information sharing, calling this collaboration necessary to “accelerating incident deterrence, prevention, and response efforts.”
2. Update Responses to Specific Threats
External changes also influence the effectiveness of your incident response plan. Just as your agency’s operations evolve over time, so does the threat landscape.
Researchers discover new vulnerabilities, attackers develop new tactics and security controls mitigate risks in different ways. As you review your incident response plan, think about how changes in the external threat environment might impact your plan. What types of incidents are occurring at other government agencies and private sector organizations? Would your plan cover those incidents well?
For example, ransomware attacks have increased dramatically over the past year. While you might treat this threat as similar to other malware threats from a prevention standpoint, ransomware raises new questions from an incident response perspective.
The threat here is so significant that the DHS placed ransomware at the top of its priority list, focusing a 60-day activity sprint this spring on tackling ransomware more effectively.
Agencies at all levels of government should consider their own response plans for a ransomware attack. Documenting planned actions in incident response plans and playbooks provides an opportunity to guide future critical decisions.