Memo on State Cybersecurity Response Plans

This memo identifies commonalities and differences among 32 cybersecurity incident and disruption response plans within 26 states. A cyber incident typically refers to data breaches, stolen personal identifiable information, unauthorized data encryption or any incident that affects data, which the state chief information security officer (CISO) has the authority to address. A cyber disruption is an event, either man-made or natural, that temporarily disables critical infrastructure resources, such as electricity, finances and water. Within the response plans, states defined “cyber events” to detail when and how they would prepare, respond and recover from a cyber incident or disruption event.

Among the 32 plans, 17 are incident response plans, 13 are disruption response plans and two are planning documents for establishing a response plan. A majority of these plans are either a procedural document within the state’s information technology (IT) agency or an annex to the statewide emergency operations plan (EOP) (See Table 1). Most states identified their IT agency as the lead agency for implementing the plan, while other states designated the homeland security departments, departments of public safety, or emergency management agencies, as the lead agencies (See Table 1).

Plans written as an annex to the state EOP or as a disruption response plan tended to identify more supporting agencies to assist in preparing, responding and recovering from a cyber event compared to those written as an IT policy. These plans embodied a whole of government approach by identifying fusion centers, state police, departments of military affairs, the National Guard, departments of public safety and others, to prepare and respond to a cyber event (See Table 1). To coordinate a state response among these actors, 19 states stand up a response team, the state emergency operations center, or a unified command structure (UCS) during a cyber event. Virginia’s UCS, for example, has three lead agencies, with their IT agency managing cyber response activities, and their emergency management agency and state police coordinating response and recovery efforts. Michigan took a unique approach by centralizing all the relevant entities into one unit, the Cyber Disruption Response Team, with the IT agency acting as chairman and the Emergency and Homeland Security Division acting as vice chair.

Most plans divide roles and responsibilities among participating agencies by preparation, response and recovery activities. In roughly half of the plans, these roles are further broken down by specific threat levels. Although states differ in their lead agency’s degree of involvement during these phases of a cyber event, there were some commonalities. During the preparation phase, lead agencies conduct risk assessments for state agencies, assist in agency network security, hold user awareness and response plan exercise, and assist state agencies develop communication protocols. More similarities were seen in response activities, which included assigning attribution, investigating the event, quarantining the event and prioritizing response efforts. The recovery phase tended to be a continuation of the response phase, but with an emphasis on investigating the incident, restoring less critical systems and conducting after-action reports.