Consistent with the concept that security is the responsibility of all employees, all agency employees should be educated and trained on general incident response planning concepts and any related responsibilities, including how to notify response organizations, the information to report, and other relevant activities.
All incidents, exercises, and general activities offer opportunities to learn and improve planning. Accordingly, observation and evaluation should be key components of any incident response structure, including the planning cycle. All personnel should be provided the opportunity to provide feedback on plans, training, and exercises.
Exercise evaluation activities should be managed independently of the response organization, as there is a potential conflict of interest if the reviewing entity resides within or is subordinate to the operational entity. For example, US-CERT should not self-evaluate participation in exercises like Cyber-Storm. Instead, independent evaluation personnel with the appropriate expertise, like those available from the Federal Emergency Management Agency (FEMA) National Exercise Division, should be used.
After action reports should be accompanied by improvement plans that clearly identify the responsible implementer of improvement actions, and a clearly defined action plan should be put into place that tracks status of implementation. As evaluation programs mature and organizational planning processes increasingly integrate disciplines and functions (e.g., response, development, operations, business units, etc.), evaluation and learning should take place on a continual, parallel basis with regular opportunities to improve processes and protocols, rather than as a step or phase in a process or sequence.