What does the latest U.S. federal ruling on cybersecurity mean for you? The recent executive order and U.S. Cybersecurity & Infrastructure Security Agency (CISA) commentary on it could provide a good framework for defending against ransomware and other attacks.

In its executive order on ‘Improving the Nation’s Cybersecurity,’ the White House directed the Secretary of the Department of Homeland Security (DHS) to “develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting Federal Civilian Executive Branch (FCEB) Information Systems.”

Now, the CISA has fulfilled its mandate by publishing the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Those resources provide recommendations for how FCEB agencies can respond to incidents and remediate security incidents involving vulnerabilities.

Unpacking the CISA Playbooks

To better understand these playbooks, I sat down with Gregory Touhill, ISACA board chair and director of the CERT Division of Carnegie Mellon University’s Software Engineering Institute. Touhill was also the U.S. government’s first chief information security officer (CISO), as appointed by former President Barack Obama. Here’s what he had to tell me.

David Bisson: What is the significance of CISA releasing its recent incident and vulnerability response playbooks?

Gregory Touhill: Previously in my career, I worked with organizations to build out cyber incident playbooks for critical infrastructure partners. I recall working with the financial services sector to identify best practices and tactics, techniques and procedures to build out incident response playbooks. But at that time, everyone was doing their own thing across the federal government, and DHS didn’t have the authority to standardize incident response and event management.

It’s a different story with CISA. This organization has the authority to take all the lessons from previous and current administrations to identify best practices in incident response and vulnerability management. The significance here is that CISA can standardize those guidelines as well as make sure every department and agency is following them. This helps to ensure there’s a common framework to have a more effective incident response and attack assessments if and when a bad day happens across the .gov domain. Similarly, it puts CISA in a position where it can take those playbooks and share them with critical infrastructure players.

Let me be clear. Without standardization, the federal government faces the risk of incomplete or ineffective response. There’s no unity of effort. There’s no proper communication of threats in a timely manner. And with that lack of communication, there’s the potential that a great solution set from one part of government doesn’t get communicated to another part. Such a gap can expand the federal government’s risk exposure, as attackers might try to target other agencies and departments. To prevent this from happening, we want to make sure we have common actions so that we can maximize precious resources and put them where they need to be at a time when they’re needed.

DB: What stands out to you from the playbooks?

GT: CISA’s playbooks embody a great and well-anticipated evolution of some of the efforts we’ve been doing for many years. It builds on work that’s already been done. It also builds on authorities that have come before, ensuring that we have a much more disciplined approach to cybersecurity going forward.

These standardized best practices come on the heels of CISA having announced the Joint Cyber Defense Collaborative public-private partnership initiative. When viewed with this initiative, it’s clear that CISA’s playbooks will be cross-fed with critical infrastructure partners along with different sector-specific agencies. They will be a great source of collaborative best practices to enhance cooperation with private industry organizations.

How Is This Relevant to Business?

DB: What part of CISA’s playbooks do organizations tend to struggle with most?

GT: Most of the time, organizations struggle to exercise their incident response and vulnerability management plans. An organization can have the best playbook out there, but if it doesn’t exercise it on a regular basis, well, ‘If you don’t use it, you lose it’. It needs to make sure that its playbooks have the proper scope so that everyone from executives to everyone else within the organization knows what they need to know…

When I say ‘exercise’, it’s important that organizations test their plans under realistic conditions. I’m not saying they need to unplug a device or bring in simulated bad code. They just need to make sure everyone tasked in the playbook knows what’s going on, understands what their roles are and periodically tests the plans. They can take the lessons they’ve learned and refine them. Incident response exercises don’t end with victory. They end with lessons for the future.

Ultimately, documents that sit on a shelf rarely get read. To be high-performing, industry, government and critical infrastructure organizations need to continue to test their technology, processes and people. They also need to understand their priorities and check multiple contingencies in an iterative way. For instance, after having run an exercise with IT, they can choose to run through the same (or similar) plan with operational technology to build their preparedness against attacks targeting their industrial control systems.

What the Playbook Doesn’t Cover

DB: Anything that you wish was included but didn’t make it into the playbooks?

GT: Three things. First, I would have liked to have seen CISA put some requirements in about the frequency of the exercises. CISA could have set a specific number of times that organizations must exercise their plans each year, for example.

Second, I would have liked to have seen some more clarity about the identification of best practices. Someone might figure out a new way for attack warning and assessment. But how does what they come up with get boosted up the chain of command? We need to have a good model for encouraging people to identify best practices as well as a workable model for evaluating those recommendations. We also need to have a mechanism in place so that best practices can be incorporated and quickly disseminated to playbook owners.

Finally, I would have liked to have seen some sort of governance model. Who will be reviewing these playbooks on a regular basis for content improvements? It shouldn’t just be CISA. It can be done through the auspices of bodies like the Federal CISO Council. This will bring more maturity on governance and oversight to the playbooks overall.

DB: Any other thoughts you have on the playbooks?

GT: Organizations need to be proactive. They can’t wait for a bad day to occur.

More from Data Protection

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today