Planning for Significant Cyber Incidents

An Introduction for Decisionmakers

Brodi Kotila, Quentin E. Hodgson, Benjamin Boudreaux, Ian Mitch, Aaron Clark-Ginsberg, Sale Lilly, Kristin J. Leuschner, Tom Wingfield

ResearchPublished Jun 27, 2022

Cyber incidents are occurring with increasing frequency, and these incidents are becoming more disruptive and costlier. Some such incidents exceed stakeholders' capacity to respond using everyday means.

The stakes are particularly high with respect to U.S. National Critical Functions (NCFs). Securing NCFs requires unity of effort within the federal government and effective collaboration and cooperation within state, local, tribal, and territorial (SLTT) governments and the private sector.

The Cybersecurity and Infrastructure Security Agency asked the Homeland Security Operational Analysis Center (HSOAC) to develop a contingency planning implementation (how-to) guide, including a contingency plan (CONPLAN) template, that NCF stakeholders could use to develop NCF-specific CONPLANs to guide their response to and efforts to mitigate the impacts of a significant cyber incident affecting their NCFs.

Summarizing key elements of the companion how-to guide, this report is intended to inform leadership and managers in NCF stakeholder organizations across government and the private sector on the purpose, components, and processes for developing an actionable CONPLAN. This report provides an overview of contingency planning for a significant cyber incident, focusing on the importance of planning, the process of developing a plan, and options for operationalizing a plan. It summarizes the major concepts that are explored in detail in the separate how-to guide.

Key Findings

  • The challenges in the decisionmaking environment in which response to a significant cyber incident affecting a National Critical Function (NCF) takes place can involve rapidly unfolding incidents, a high degree of uncertainty, an indefinite beginning and end, and an unknown cause.
  • Planning can also be critical because government and private-sector responders responsible for NCFs have experienced relatively few significant cyber incidents.
  • Contingency plans (CONPLANs) are useful tools to facilitate coordinated, rapid, and effective response to significant cyber incidents and other contingencies.
  • Plans help clarify incident response stakeholders' roles and responsibilities, establish requirements for information-sharing, specify coordination mechanisms, identify possible interdependencies and cascading effects, and identify actions to improve preparedness and resilience in advance of a significant cyber incident.
  • The process of developing the plan is just as important as the resulting document. The planning process can illuminate authorities, capabilities, and competencies that are relevant to incident response and deepen stakeholders' understanding of their respective roles and responsibilities.
  • Building the core planning team is critical to the planning process. The team should include a lead entity and representatives of key organizations responsible for NCF cyber incident response.
  • The planning process has five steps: Gather data and survey the threats, develop mission statements and objectives, develop courses of action, draft a plan, and evaluate risks to the plan.
  • Stakeholders can operationalize an approved CONPLAN by disseminating it; testing, exercising, and training with it; documenting and reviewing lessons learned; developing a knowledge base on cybersecurity and resilience; and maintaining and updating the plan.

Topics

Document Details

Citation

RAND Style Manual
Kotila, Brodi, Quentin E. Hodgson, Benjamin Boudreaux, Ian Mitch, Aaron Clark-Ginsberg, Sale Lilly, Kristin J. Leuschner, and Tom Wingfield, Planning for Significant Cyber Incidents: An Introduction for Decisionmakers, Homeland Security Operational Analysis Center operated by the RAND Corporation, RR-A1265-1, 2022. As of October 10, 2024: https://www.rand.org/pubs/research_reports/RRA1265-1.html
Chicago Manual of Style
Kotila, Brodi, Quentin E. Hodgson, Benjamin Boudreaux, Ian Mitch, Aaron Clark-Ginsberg, Sale Lilly, Kristin J. Leuschner, and Tom Wingfield, Planning for Significant Cyber Incidents: An Introduction for Decisionmakers. Homeland Security Operational Analysis Center operated by the RAND Corporation, 2022. https://www.rand.org/pubs/research_reports/RRA1265-1.html.
BibTeX RIS

This research was sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) and conducted by the Strategy, Policy and Operations Program within the Homeland Security Operational Analysis Center.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.