On July 26, 2016, the White House unveiled Presidential Policy Directive PPD-41 (“PPD-41”), Subject: United States Cyber Incident Coordination, which sets forth principles for federal responses to cyber incidents approved by the National Security Council (“NCS”). Coming on the heels of several high-profile federal breaches, including the Office of Personnel Management’s loss of security clearance information and the hack of over 700,000 IRS accounts, PPD-41 is a component of President Obama’s Cybersecurity National Action Plan. PPD-41 first focuses on incident response to cyber attacks on government assets, but also outlines federal incident responses to cyber attacks on certain critical infrastructure within the private sector.
PPD-41 groups federal incident response into two broad categories, cyber incidents and significant cyber incidents. PPD-41 directs the first federal agency that detects a cyber incident, under the direction of the Department of Justice (“DOJ”) and the Department of Homeland Security (“DHS”), to “rapidly notify” relevant agencies. According to PPD-41, the federal government typically will not play a role in responding to cyber incidents involving private sector entities, beyond remaining “cognizant” of entities’ responses.
However, PPD-41 lays out a more robust response for cyber incidents that have significant impacts on an entity, national security or the broader economy, noting that such incidents require a unique approach to response efforts. To that end, PPD-41 outlines a coordinated federal response to significant cyber incidents through the use of a Cyber Unified Coordination Group (“Cyber UCG”), which is defined as a response coalition made up of relevant federal agencies and private sector partners.
In order to ensure streamlined national operational coordination by a Cyber UCG, PPD-41 appoints specific federal agencies as leading coordinators for three key components of incident response:
- Threat Response: Activities include collecting evidence, investigative activity and identifying affected entities. PPD-41 directs that DOJ, acting through the FBI and the National Cyber Investigative Joint Task Force, be the federal lead agency for threat response activities.
- Asset Response: Activities include offering technical support to affected entities, mitigating vulnerabilities and reducing the impact of cyber incidents. PPD-41 directs that DHS lead these efforts in a Cyber UCG, acting in coordination with the National Cybersecurity and Communications Integration Center.
- Intelligence Support: Activities include analysis of threat trends, information sharing and mitigating threat capabilities. PPD-41 establishes the Office of the Director of National Intelligence to act as the lead federal agency for intelligence support within a Cyber UCG.
Upon formation of a Cyber UCG, PPD-41 directs that federal agencies assign appropriate senior executives, staff and resources to execute the agency’s responsibilities as part of a Cyber UCG. The Cyber UCG is intended to result in unity of effort and not to alter agency authorities or leadership, oversight or command responsibilities.
Under PPD-41, such a Cyber UCG can be formed at the direction of the NSC, the Cyber Response Group (to which PPD-41 also assigns the responsibility of leading federal policy on cyber incident response) and sector-specific agencies. However, PPD-41 also directs the formation of Cyber UCGs where a significant cyber incident “could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” Notably, this builds off of President Obama’s Executive Order 13636 (“Improving Critical Infrastructure Cybersecurity”), which calls for the identification of “Critical Infrastructure at Greatest Risk” using similar criteria.
In sum, PPD-41 seeks to improve the federal government’s response to cyber incidents. Owner/operators of critical infrastructure labeled “Critical Infrastructure at Greatest Risk” under Executive Order 13636 should be aware that a significant cyber incident involving such assets could activate a Cyber UCG under PPD-41. Building early relationships with key federal agencies can help such private sector entities effectively work with a Cyber UCG in the event of cyber attack.