[Presidential Policy Directives - PPDs]

The White House

July 26, 2016

Presidential Policy Directive -- United States Cyber Incident Coordination


SUBJECT: United States Cyber Incident Coordination

The advent of networked technology has spurred innovation, cultivated knowledge, encouraged free expression, and increased the Nation's economic prosperity. However, the same infrastructure that enables these benefits is vulnerable to malicious activity, malfunction, human error, and acts of nature, placing the Nation and its people at risk. Cyber incidents are a fact of contemporary life, and significant cyber incidents are occurring with increasing frequency, impacting public and private infrastructure located in the United States and abroad.

United States preparedness efforts have positioned the Nation to manage a broad range of threats and hazards effectively. Every day, Federal law enforcement and those agencies responsible for network defense in the United States manage, respond to, and investigate cyber incidents in order to ensure the security of our information and communications infrastructure. The private sector and government agencies have a shared vital interest in protecting the Nation from malicious cyber activity and managing cyber incidents and their consequences. The nature of cyberspace requires individuals, organizations, and the government to all play roles in incident response. Furthermore, effective incident response efforts will help support an open, interoperable, secure, and reliable information and communications infrastructure that promotes trade and commerce, strengthens international security, fosters free expression, and reinforces the privacy and security of our citizens.

While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have significant impacts on an entity, our national security, or the broader economy require a unique approach to response efforts. These significant cyber incidents demand unity of effort within the Federal Government and especially close coordination between the public and private sectors.

I. Scope

This Presidential Policy Directive (PPD) sets forth principles governing the Federal Government's response to any cyber incident, whether involving government or private sector entities. For significant cyber incidents, this PPD also establishes lead Federal agencies and an architecture for coordinating the broader Federal Government response. This PPD also requires the Departments of Justice and Homeland Security to maintain updated contact information for public use to assist entities affected by cyber incidents in reporting those incidents to the proper authorities.

II. Definitions

III. Principles Guiding Incident Response

In carrying out incident response activities for any cyber incident, the Federal Government will be guided by the following principles:

IV. Concurrent Lines of Effort

In responding to any cyber incident, Federal agencies shall undertake three concurrent lines of effort: threat response; asset response; and intelligence support and related activities. In addition, when a Federal agency is an affected entity, it shall undertake a fourth concurrent line of effort to manage the effects of the cyber incident on its operations, customers, and workforce.

V. Architecture of Federal Government Response Coordination for Significant Cyber Incidents1

In order to respond effectively to significant cyber incidents, the Federal Government will coordinate its activities in three ways:

VI. Unified Public Communications

The Departments of Homeland Security and Justice shall maintain and update as necessary a fact sheet outlining how private individuals and organizations can contact relevant Federal agencies about a cyber incident.

VII. Relationship to Existing Policy

Nothing in this directive alters, supersedes, or limits the authorities of Federal agencies to carry out their functions and duties consistent with applicable legal authorities and other Presidential guidance and directives. This directive generally relies on and furthers the implementation of existing policies and explains how United States cyber incident response structures interact with those existing policies. In particular, this policy complements and builds upon PPD-8 on National Preparedness of March 30, 2011. By integrating cyber and traditional preparedness efforts, the Nation will be ready to manage incidents that include both cyber and physical effects.


Annex for Presidential Policy Directive -- United States Cyber Incident Coordination

SUBJECT: Federal Government Coordination Architecture for Significant Cyber Incidents

I. Scope

This annex to PPD-41, United States Cyber Incident Coordination Policy, provides further details concerning the Federal Government coordination architecture for significant cyber incidents and prescribes certain implementation tasks.

II. Coordination Architecture

III. Federal Government Response to Incidents Affecting Federal Networks

Nothing in this directive alters an agency's obligations to comply with the requirements of the Federal Information Security Modernization Act of 2014 (FISMA) or Office of Management and Budget (OMB) guidelines related to responding to an "incident," "breach," or "major incident" as defined in that statute and OMB guidance. Federal agencies shall follow OMB guidance to determine whether an incident is considered a "major incident" pursuant to FISMA. If the cyber incident meets the threshold for a "major incident," it is also a "significant cyber incident" for purposes of this directive and shall be managed in accordance with this directive.

IV. Implementation and Assessment

Federal agencies shall take the following actions to implement this directive:

PPD Source: The White House

Annex Source: The White House