CISATURECybersecurity IncidentVulnerability Response PlaybooksOperational Procedures for Planning andConducting Cybersecurity Incident and VulnerabilityResponse Activities in FCEB Information SystemsPublication:November 2021Cybersecurity and Infrastructure Security AgencyDISCLAIMER:This document is marked TLP:WHITE.Disclosure is not limited.Sources may use TLP:WHITE when information carries minimal or noforeseeable risk of misuse,in accordance with applicable rules and procedures for public release.Subject to standard copyright rules,TLP:WHITE informationmay be distributed without re striction.For more information on the Traffic Light Protocol,see https://ww.cisa.gov/tlp/TLP:WHITETLP:WHITECONTENTS.3Overview.…33Audience...4Incident Response Playbook.5Incident Response Process....5Preparation Phase.................6Detection Analysis................10Containment.............14Eradication Recovery......15Post-Incident Activities.............16Coordination..17Vulnerability Response Playbook........21Preparation...........21Vulnerability Response Process2222Evaluation.......23Remediation..........24Reporting and Notification..............24Appendix A:Key Terms.25Appendix B:Incident Response Checklist............27Appendix C:Incident Response Preparation Checklist..........35Appendix E:Vulnerability and Incident Categories.....38Appendix F:Source Text....................39Appendix G:Whole-of-Government Roles and Responsibilities............41TLP:WHITECISA Cybersecurity and Infrastructure Security Agency2TLP:WHITEINTRODUCTIONThe Cybersecurity and Infrastructure Security Agency (CISA)is committed to leading the response tocybersecurity incidents and vulnerabilities to safeguard the nation's critical assets.Section 6 ofExecutive Order 14028 directed DHS,via CISA,to "develop a standard set of operational procedures(playbook)to be used in planning and conducting cybersecurity vulnerability and incident responseactivity respecting Federal Civilian Executive Branch(FCEB)Information Systems."1OverviewThis document presents two playbooks:one for incident response and one for vulnerability response.These playbooks provide FCEB agencies with a standard set of procedures to identify,coordinate,remediate,recover,and track successful mitigations from incidents and vulnerabilities affecting FCEBsystems,data,and networks.In addition,future iterations of these playbooks may be useful fororganizations outside of the FCEB to standardize incident response practices.Working together acrossall federal government organizations has proven to be an effective model for addressing vulnerabilitiesand incidents.Building on lessons learned from previous incidents and incorporating industry bestpractices,CISA intends for these playbooks to evolve the federal government's practices forcybersecurity response through standardizing shared practices that bring together the best people andprocesses to drive coordinated actions.The standardized processes and procedures described in these playbooks:Facilitate better coordination and effective response among affectedorganizations,Enable tracking of cross-organizational successful actions,Allow for cataloging of incidents to better manage future events,andGuide analysis and discovery.Agencies should use these playbooks to help shape overall defensive cyber operations to ensureconsistent and effective response and coordinated communication of response activitiesScopeThese playbooks are for FCEB entities to focus on criteria for response and thresholds for coordinationand reporting.They include communications between FCEB entities and CISA;the connectivecoordination between incident and vulnerability response activities;and common definitions for keycybersecurity terms and aspects of the response process.Response activities in scope of this playbookinclude those:Initiated by an FCEB agency (e.g.,a local detection of malicious activity ordiscovery of a vulnerability)Initiated by CISA (e.g.,a CISA alert or directive)or other third parties,includinglaw enforcement,intelligence agencies,or commercial organizations,contractors,and service providersThe Incident Response Playbook applies to incidents that involve confirmed malicious cyber activityand for which a major incident (as defined by the Office of Management and Budget [OMB]inExecutive Order (EO)14028:Improving the Nation's CybersecurityTLP:WHITECISA Cybersecurity and Infrastructure Security Agency3