Cyber Florida
The Florida Center for Cybersecurity (also known as Cyber Florida) was established at the University of South Florida in 2014 under Florida statute 1004.444. The goals of the center are to: position Florida as a national leader in cybersecurity and its related workforce through advancing and funding education, research, and development initiatives in cybersecurity; assist in the creation of jobs in the state’s cybersecurity industry and enhance the existing cybersecurity workforce; act as a cooperative facilitator for state business and higher education communities to share cybersecurity knowledge, resources, and training; seek out research and development agreements and other partnerships with major military installations to assist, when possible, in homeland cybersecurity defense initiatives; attract cybersecurity companies to the state with an emphasis on the defense, finance, health care, transportation, and utility sectors.
With the shared mission of promoting cybersecurity preparedness and enhancing the cyber resiliency of our Nation, Cyber Florida is eager to provide comments to the Cybersecurity and Infrastructure Security Agency (CISA) on the updated National Cybersecurity Incident Response Plan (NCIRP).
Comment
While an update to the 2016 NCIRP was a prudent decision (considering the constant state of evolution and improvement to cybersecurity), we agree that this should not be considered a step-by-step instruction manual. The flexibility of this document should be like that of the FEMA National Response Framework (NRF) for crises and emergencies. It is also a great benefit to CISA to implement regular cycles of updates to this plan as incident reports find potential improvements. That said, the primary consideration that needs to be made is how CISA intends to be proactive in its coordination with private (and other) sectors to manage a cyber incident. For instance, the indicated LOE leads provides significant clarification on the responsible agencies when an incident occurs, but often times, the issue is not the response itself, but rather, what “coordination” entails. The coordinating structures table aligns well with the goal of the NCIRP to serve as a framework, but the notion of “unified coordination” should be well addressed and practiced prior to any incident. CISA’s efforts to educate and train on what resources it has and what its role is when a cyber incident occurs should continue to be at the forefront to mitigate any response issues when these large and diverse organizations must coordinate. This should include not only providing the annex with resources, but also encouraging agencies to proactively use them.
Another critical issue to consider is that while the NCIRP is meant to be a high-level framework, effective coordination with other agencies requires a level of existing communication and more importantly, agencies need to have their own cybersecurity plans in place. As a partner in response and with situation reports from prior incidents, CISA has the opportunity to embed itself into the planning efforts of agencies, but this should be prioritized by agencies as well. Cyber Florida recommends that CISA actively partner with groups and organizations that represent the various sectors and critical infrastructure industries to promote the adoption of the NCIRP and the creation of specific agency-wide plans (as indicated in Annex B). Doing so would not only engage agencies to adopt an internal cybersecurity incident response plan, but also actively identify where their role would be within the larger plan.
Lastly, the NCIRP’s primary focus is on the support of affected agencies when a cyber incident has been identified and mitigation is necessary. However, on a larger scale, the reason for CISA’s emphasis on this is due to increasing threats to governance (as evidenced by attacks on many local, regional and state governments in recent years). We believe that partnerships with groups and organizations that have regular communication with agencies and critical infrastructure entities at local levels would augment the regular updates to the NCIRP based on lessons learned. To do so, the NCIRP should also provide more clarity on how (if at all) reporting will impact an agency—as voluntary reporting creates holes in the lessons learned.
Overall, we believe that this iteration of the NCIRP has provided an extensive framework for agencies to not only consider, but also embed into their own organizations for cybersecurity incident response. Annex D’s listing of the various major entities and their roles in the asset response are detailed and thorough, but as indicated above, engaging with these entities prior to an incident will be critical for CISA, as coordination challenges and breakdowns often occur during an incident response when there was no prior understanding of how the incident response will engage these different entities together.
Author
Ratna B. Dougherty, PhD
Assistant Professor, School of Public Affairs
University of South Florida
Contact Information
Ernie Ferraresso eferraresso@cyberflorida.org 813 974 1869
Director
Cyber Florida