ID
13-508-1212
Name
Cyber Incident Response Team
Status
Published
Version
1.2
Updated
11/15/2019 9:46:49 AM
Original Release
11/07/2017
Last Major Release
11/15/2019
Description
The Cyber Incident Response Team responds to crises or urgent situations within the pertinent cyber domain to address, manage, and mitigate immediate and potential threats.
Resource Category
Cybersecurity
Primary Core Capability
Cybersecurity
Secondary Core Capability
Resource Kind
Team
Overall Function
The Cyber Incident Response Team:
1. Investigates and analyzes all relevant cyber and network activities related to the crisis situation with the purpose of achieving the speediest recovery of the impacted critical infrastructure service
2. Uses mitigation, preparedness, response, and recovery approaches, as needed, to maximize survival of life, preservation of property, and information security
3. Documents all steps and actions taken during the operations and develops Incident Action Reports (IAR)
Composition and Ordering Specifications
1. Discuss logistics for deploying this team, such as working conditions, length of deployment, security, lodging, transportation, and meals, prior to deployment
2. The requestor may need to order multiple teams to provide 24 hour coverage
3. A single source entity may constitute the entire team
4. The requestor should specify if the personnel should have training and experience with specific software applications, hardware, and equipment
| Supporting Core Capabilities |
|---|
| None |
| Components | ||||||||
|---|---|---|---|---|---|---|---|---|
| Component | Notes | |||||||
| Minimum Personnel Per Team | Not Specified |
| ||||||
| Management And Oversight Personnel Per Team | Not Specified |
| ||||||
| SUPPORT PERSONNEL PER TEAM | 1. All members of the team should hold an active security clearance. 2. Any use of the term “forensics” is descriptive of a skill or capability and does not imply a law enforcement role. 3. The Voice Communications Operator, System Administrator, and Network Administrator are not NIMS typed support positions. |
| ||||||
| Operations Equipment Per Team | 1. Team may need additional equipment and supplies for small local area network interfaces to tactical outbound communications. 2. An understanding of asset information including operating systems, key applications, incident response plans, organization charts, emergency contact lists, and hardware is essential prior to deploying team, to ensure team brings the appropriate tools. 3. Iterations of training deployments determine additional software and hardware items to conduct forensics, network analysis, and other supporting functions. |
| ||||||
| Communications Equipment Per Team Member | Consider alternate forms of communication, such as satellite phones, based on the mission assignment and team needs. |
| ||||||
| Notes |
|---|
| References |
|---|
| Reference |
| FEMA, NIMS 509: CND Analyst |
| FEMA, NIMS 509: CND Infrastructure Support Specialist |
| FEMA, NIMS 509: Cyber Incident Responder |
| FEMA, NIMS 509: Database Administration Specialist |
| FEMA, NIMS 509: Digital Forensic Specialist |
| FEMA, National Incident Management System (NIMS), October 2017 |
| U.S. Department of Homeland Security, National Initiative for Cybersecurity Education, National Cybersecurity Workforce Framework, v.2, May 2014 |
| Published Versions | ||
| Version | Publish Date | Document Type |
|---|---|---|
| 1.2 | 11/15/2019 9:46:49 AM | |
| 1.1 | 9/28/2018 5:08:06 PM | |
| 1.0 | 11/7/2017 2:34:06 PM | |