(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)
How can agencies effectively address current time lags with detection of and response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response times? Please include ideas on how government agencies can expand capabilities beyond reacting to known threats through programs like Einstein, to identify new threats and zero-day exploits in near real-time.
Typically, private sector organizations place incident response teams on retainer or are able to otherwise very quickly bring in surge incident response capabilities as an incident demands. Recognizing that government agencies may not have similar contracting flexibility, agencies should nonetheless review contracting mechanisms or vehicles (such as the United States Computer Emergency Response Team (US-CERT) fly-away teams) to enable the rapid deployment of incident response surge capabilities.
Agencies should complete the development and implementation of integrated, cross-business unit (e.g., IT operations, business, privacy, legal, human resources, and vendors) cyber incident response plans. It is critical that those plans be finalized, promulgated, drilled, trained, evaluated, and improved. Top-down plans like the National Cyber Incident Response Plan or National Cyber Response Framework need to be finalized and promulgated so that agencies can understand and internalize, aligning with their own bottom-up plans.
Planning efforts and scenarios should consider the impact of degraded operating environments on the ability to respond effectively, including the loss of certain capabilities due to adversary activities. For instance, in a denial of service scenario, the ability to communicate internally and externally may be degraded, affecting the ability to coordinate and execute response actions.
(non-ITAPS) Initial findings of a breach are often significantly late in identification and this needs to be corrected immediately by rigorously applying best practices such as implementing and monitoring appropriate security controls and processes, log/systems reviews, behavior monitoring, vulnerability management, security intelligence (various vendors, other Government entities, the US Cyber Board), identification and access management, encryption, etc.
(non-ITAPS) Once a breach is detected, ensure immediate assessment, escalation, and action is taken on preventing additional breaches (bring system down, close off access, etc.), identification and action taken on other systems with similar vulnerabilities, notification to appropriate national CERT such as US CERT, and request for independent assistance from another qualified CERT.
(non-ITAPS) After a breach, rapidly make a joint decision (Department/Agency Head, IG, and Independent CERT) and document the requirement and timing for reporting up the administrative chain, to the Congress and to the public.
(non-ITAPS) Each Department/Agency must have in place policies, procedures, communication plans, and incident response capabilities that are fully documented and exercised frequently to ensure everyone knows their role and responsibilities, are empowered to execute, and have agreement in place for independent assistance of a qualified CERT.