CISA’s New Cybersecurity Playbooks

As large scale cyber attacks are becoming more and more commonplace in our society the federal government has begun to take a more serious and hands on approach to our nations security posture.

On May 12, 2021 President Biden released an executive order outlining the actions the federal government was taking to standardize best practices across all government agencies. This executive order came in response to the recent Colonial Pipeline and Kaseya incidents as cyber criminals have started to attack critical infrastructure. Just six months later CISA has published two playbooks to aid agencies in mitigating cyber attacks. In addition to aiding the Federal Civilian Executive Branch(FCEB), these playbooks can be beneficial for any company looking to bolster their cybersecurity.

Through May’s executive order CISA was put in charge of “developing a standard set of operational procedures to be used in planning and conducting cybersecurity vulnerability and incident response activity respecting Federal Civilian Executive Branch (FCEB) Information Systems”. These “playbooks” cover both incident response and vulnerability response in the FCEB. Both playbooks seek to have a straight line of communication between the FCEB and CISA in order to better report cyber attack and coordinate an appropriate response in the case an agency falls victim.

Incident Response Playbook

The incident response playbook provides detailed instructions on how agencies are to respond and report potential cyber risks as defined in the NIST SP 800-61 Rev. 2. Like with any good cybersecurity plan the IR playbook begins with a preparation phase that includes:

  • Documenting and understanding policies and procedures for incident response
  • Instrumenting the environment to detect suspicious and malicious activity
  • Establishing staffing plans
  • Educating users on cyber threats and notification procedures(Security Awareness Training)

Next it is important to establish a detection and analysis process in which an agency can correctly identify and analyze the scope of a perceived attack. This includes data collection, technical analysis, and determining the tactics being used in the attack.

The next steps in an incident response plan include containment, eradication, and coordination. After the original detection of a threat it is important to contain the attack by isolating impacted systems, changing login credentials, or blocking unauthorized access to system. After containing a threat it is crucial to eradicate it from all infected systems and then coordinate with CISA on the next best steps. To get a more in depth understanding of this playbook you can read it here.

Vulnerability Response Playbook

According to CISA’s vulnerability response playbook a standard vulnerability management program includes “phases for identifying, analyzing, remediating, and reporting vulnerabilities”. The identification phase involves recognizing vulnerabilities within your system and determining the extent of the vulnerability and what software may be impacted.

In the Evaluation phase the goal is to identify what systems are susceptible, compromised, and not affected. Getting a solid grasp on where your systems stand is important to preventing the need for incident response. The last two steps include remediation and reporting. Once a potential or already exploited vulnerability is found it is crucial this weakness is patched and fixed immediately. Lastly, reporting all vulnerabilities and data breaches to CISA is crucial in helping the federal government learn and remedy current and future cyber attacks made against crucial infrastructure.


The nation’s cybersecurity posture should be at the top of every agencies mind as the nation can only be secure if everyone works together. As attacks made against critical infrastructure become more frequent the U.S. must also rise to adapt and fight the threat of ransomware, malware, phishing, etc. Through these practical playbooks provided by CISA the nation can continue to move forward and build a more secure future.

Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.

One Partner. Total Cybersecurity.

Comments are closed

Learn More
error: Alert: This Content is protected!