Planning for Significant Cyber Incidents: An Introduction for Decisionmakers

Kotila, Brodi; Hodgson, Quentin E.; Boudreaux, Benjamin; Mitch, Ian; Clark-Ginsberg, Aaron; Lilly, Sale; Leuschner, Kristin J.; Wingfield, Tom

This report is intended to inform National Critical Function stakeholders about developing actionable contingency plans. It describes contingency planning for a significant cyber incident, focusing on the importance of planning, the process of developing a plan, and options for operationalizing a plan. It summarizes the major concepts that are explored in detail in a separate how-to guide.

Read Online

Planning for Significant Cyber Incidents

An Introduction for Decisionmakers

by Brodi Kotila, Quentin E. Hodgson, Benjamin Boudreaux, Ian Mitch, Aaron Clark-Ginsberg, Sale Lilly, Kristin J. Leuschner, Tom Wingfield

Download Free Electronic Document

Format	File Size	Notes
PDF file	0.3 MB	Use Adobe Acrobat Reader version 10 or higher for the best experience.

Research Questions

Why is planning for significant cyber incidents important?
Why develop a contingency plan?
How is a contingency plan developed?
How is a contingency plan used?

Cyber incidents are occurring with increasing frequency, and these incidents are becoming more disruptive and costlier. Some such incidents exceed stakeholders' capacity to respond using everyday means.

The stakes are particularly high with respect to U.S. National Critical Functions (NCFs). Securing NCFs requires unity of effort within the federal government and effective collaboration and cooperation within state, local, tribal, and territorial (SLTT) governments and the private sector.

The Cybersecurity and Infrastructure Security Agency asked the Homeland Security Operational Analysis Center (HSOAC) to develop a contingency planning implementation (how-to) guide, including a contingency plan (CONPLAN) template, that NCF stakeholders could use to develop NCF-specific CONPLANs to guide their response to and efforts to mitigate the impacts of a significant cyber incident affecting their NCFs.

Summarizing key elements of the companion how-to guide, this report is intended to inform leadership and managers in NCF stakeholder organizations across government and the private sector on the purpose, components, and processes for developing an actionable CONPLAN. This report provides an overview of contingency planning for a significant cyber incident, focusing on the importance of planning, the process of developing a plan, and options for operationalizing a plan. It summarizes the major concepts that are explored in detail in the separate how-to guide.

Key Findings

The challenges in the decisionmaking environment in which response to a significant cyber incident affecting a National Critical Function (NCF) takes place can involve rapidly unfolding incidents, a high degree of uncertainty, an indefinite beginning and end, and an unknown cause.
Planning can also be critical because government and private-sector responders responsible for NCFs have experienced relatively few significant cyber incidents.
Contingency plans (CONPLANs) are useful tools to facilitate coordinated, rapid, and effective response to significant cyber incidents and other contingencies.
Plans help clarify incident response stakeholders' roles and responsibilities, establish requirements for information-sharing, specify coordination mechanisms, identify possible interdependencies and cascading effects, and identify actions to improve preparedness and resilience in advance of a significant cyber incident.
The process of developing the plan is just as important as the resulting document. The planning process can illuminate authorities, capabilities, and competencies that are relevant to incident response and deepen stakeholders' understanding of their respective roles and responsibilities.
Building the core planning team is critical to the planning process. The team should include a lead entity and representatives of key organizations responsible for NCF cyber incident response.
The planning process has five steps: Gather data and survey the threats, develop mission statements and objectives, develop courses of action, draft a plan, and evaluate risks to the plan.
Stakeholders can operationalize an approved CONPLAN by disseminating it; testing, exercising, and training with it; documenting and reviewing lessons learned; developing a knowledge base on cybersecurity and resilience; and maintaining and updating the plan.

Research conducted by

RAND Homeland Security Research Division

This research was sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) and conducted by the Strategy, Policy and Operations Program within the Homeland Security Operational Analysis Center.

This report is part of the RAND Corporation Research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.

U.S.-China Rivalry in a Neomedieval World

Now Is the Time for Space Traffic Management

The Global Movement Against China's Economic Coercion Is Accelerating

Your Health Insurance May Not Be As Good As Your State Requires—and It's Perfectly Legal

Ukraine is running out of ammo. The West doesn’t have enough.

The Policy Currents Podcast

Helping Coastal Communities Plan for Climate Change

Managing Escalation in Crisis and War

Measuring Wellbeing to Help Communities Thrive

Assessing and Articulating the Wider Benefits of Research

Planning for Significant Cyber Incidents

Download Free Electronic Document

Research Questions

Key Findings

Research conducted by

Citation

Connect

Contact Us

I am interested in

Follow

Stay Informed

Resources

Site Information