CISA Cyber Response Playbook Offers Best Practices for Government MSSPs

The Cybersecurity and Infrastructure Security Agency (CISA) has published new cybersecurity incident and vulnerability response procedures for federal civilian executive branch (FCEB) agencies.

FCEB agencies are all those excepting the 19 members of the Intelligence community, such as the Departments of Defense, Justice, Homeland Security and the FBI. Along those lines, not covered in the playbooks are response procedures that involve threats to classified information or national security. That is a whole different matter. This playbook applies not only to FCEB agencies but also to contractors engaging with agencies. In that regard, it can also serve as a best practices guide for managed security service providers (MSSPs) in the government market and in other types of engagements.

The playbook, entitled Cybersecurity Incident & Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response, aims to provide FCEB agencies with a standard set of procedures to identify, coordinate, remediate, recover and track successful mitigations from incidents and vulnerabilities affecting systems, data and networks. As for the document itself, it’s really two playbooks under a single cover with one dedicated to incident response and another for vulnerability response.

The CISA playbook is designed to:

  • Facilitate better coordination and effective response among affected organizations.
  • Enable tracking of cross-organizational successful actions.
  • Allow for cataloging of incidents to better manage future events.
  • Guide analysis and discovery.

The incident response portion of the playbook:

  • Describes the process and completion through the incident response phases as defined by the National Institute of Standards and Technology (NIST):
  • Covers preparation, detection and analysis, containment, eradication and recovery, post-incident activities and coordination.
  • Describes the process FCEB agencies should follow for confirmed malicious cyber activity when a major incident has been declared or not yet been ruled out.

The vulnerability response segment of the playbook:

  • Standardizes the high-level process that agencies should follow when responding to these urgent and high-priority vulnerabilities.
  • Covers preparation, vulnerability response processes, identification, evaluation, remediation and reporting and notification.
  • Is not meant as a replacement for existing vulnerability management programs in place at an agency but instead builds on existing vulnerability management practices.

CISA's playbook follows President Biden's executive order issued in May tasking the agency with developing a standard set of operational procedures for "planning and conducting cybersecurity vulnerability and incident response activity” for federal civilian agencies. “Building on lessons learned from previous incidents and incorporating industry best practices, CISA intends for these playbooks to evolve the federal government’s practices for cybersecurity response through standardizing shared practices that bring together the best people and processes to drive coordinated actions,” CISA wrote in the playbook.

The document drew positive reaction from the security community. “Dealing with complexities related to communication, resolution and seeking help when operations are crippled and communications disabled can be overwhelming,” said Purandar Das, co-founder and president at Sotero, an encryption-based security solutions provider. “Having a playbook and a plan in place can be the difference in successfully recovering and dealing with a cyber attack.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.