August 4, 2016


White House Cyber Directive: What Does it Mean and What’s Next?

White House Cyber Directive: What Does it Mean and What’s Next?
Share This

White House Cyber Directive: What Does it Mean and What’s Next?


On Tuesday, July 26, the White House released a new Presidential Policy Directive, PPD-41, United States Cyber Incident Coordination that aims to clarify how the federal government will coordinate the response to a large-scale cyber incident, including how it will coordinate with affected private sector entities. This initiative is an important and welcome directive and consistent with the industry’s efforts with the government to develop, expand upon and clarify the public/private activities in response to an issue.


Highlights of this new Directive are:

I.  Incident severity – The PPD introduces a five-point “incident severity schema” that ranks cyber incidents based on their potential to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. Level 1 or 2 events are unlikely to have a major public or widespread impact, while a level 3 or higher event would warrant a coordinated federal response effort because they may involve the denial of a key service or system, destruction or corruption of data, or physical damage. The PPD applies only to these “significant” level 3 or above events. The schema aims to ensure all federal agencies have a common framework for assessing cyber incidents and the level of response required.

II.  Federal Agency Leadership – The PPD designates a lead agency for three key activities necessary during a cyber event. These areas of activity include:

  1. Threat Response, led by the Department of Justice (DOJ) and the FBI;
  2. Asset Response, led by the Department of Homeland Security (DHS)
  3. Asset response includes protecting assets and mitigating vulnerabilities to reduce the impact to systems and/or data; strengthening, recovering, and restoring services; identifying other entities at risk; and assessing potential risk to the broader community); and
  4. Intelligence Support, led by the Office of the Director of National Intelligence.

III.  Incident Coordination – The PPD calls for the creation of a Cyber Unified Coordination Group that will include relevant private sector entities to coordinate development, prioritization, and execution of cyber response efforts during a significant cyber incident.

IV.  Integrated Response Efforts – The PPD seeks to ensure that cyber response activities are integrated and consistent with response protocols for physical events. This is to ensure that the response to a cyber incident and its physical consequences can be effectively managed.

DHS Under Secretary Suzanne Spaulding held a conference call on Friday, July 29, with Sector Coordinating Councils, ISACs, and Trade Associations, to provide further guidance on the federal government’s integrated approach. A fact sheet circulated to support that call, Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government, explains when, what, and how to report to the Federal Government in the event of a cyber incident, in order to receive assistance from government agencies, which are prepared to investigate the incident, mitigate its consequences, and help prevent future incidents.

DHS encourages private sector entities experiencing cyber incidents that could jeopardize the confidentiality, integrity, or availability of digital information or information systems to report it to the local field offices of federal law enforcement agencies, their sector specific agency, or other federal agencies. The federal agency receiving the initial report will coordinate with other relevant federal stakeholders, who will work together to help affected entities understand the incident, link related incidents, and share information to rapidly resolve the situation in a manner that protects privacy and civil liberties.

Cyber incidents resulting in significant damage are of particular concern to the Federal Government, and victims are encouraged to report all cyber incidents that may:

  • Result in a significant loss of data, system availability, or control of systems;
  • Impact a large number of victims;
  • Indicate unauthorized access to, or malicious software present on, critical information technology systems;
  • Affect critical infrastructure or core government functions; or
  • Impact national security, economic security, or public health and safety.

Next Steps

As we referenced above, the PPD and incident severity schema are a positive development that should help clarify roles and responsibilities and assist the Financial Services Sector in preparing for cyber incidents. Member firms should familiarize themselves with the PPD, annex, and severity schema, which all can be accessed on the White House web site.

Implementation of the PPD will require updating and finalizing the National Cyber Incident Response Plan (NCIRP), which will be led by DHS in coordination with the sector-specific agencies. The Financial Sector is represented on the NCIRP drafting team.

The PPD also requires DHS and DOJ to develop a concept of operations for how a Cyber Unified Coordination Group (UCG) will operate. The UCG will coordinate the Federal Government’s operational response to a significant incident, and will include members of the Private Sector as appropriate based on the circumstances of the incident. FSR/BITS is a member of the Treasury Working Group that will provide input to DHS and DOJ on the UCG, including how Financial Sector incident response processes will synchronize with government incident response process.

Member firms should establish relationships with their local FBI offices to facilitate the process of notifying the Government when they face a significant cyber incident, and should ensure that contact information is included in their preparedness and business continuity planning and playbooks. Member firms should also contact Treasury’s Office of Critical Infrastructure Protection and Compliance Policy to obtain the forms that must be used in submitting a “Request for Technical Assistance” (RTA) from the Federal Government.

Murray W. Kenyon is the Senior Vice President of BITS