New cybersecurity guidance urges federal agencies to have formal incident response plans in place in preparation for the inevitable network or application intrusion. The guidance comes from a draft second revision of the National Institute of Standards and Technology "Computer Security Incident Handling Guide," or SP 800-61 (.pdf). NIST published the first version in March 2008.

Of course, prevention through the use of continuous monitoring is important--especially because threats grew stealthier since the last SP 800-61 revision, write authors.

"Continually monitoring threats through intrusion detection and prevention systems (IDPSs) and other mechanisms is essential," says NIST.

However, incidents will and do happen, and when they do a rapid response will minimize damage.

In the publication, NIST reminds agencies that the Federal Information Security Management Act requires they designate primary and secondary points of contact with the Homeland Security Department's computer emergency readiness team, or US-CERT.

Agencies should have a policy and plan for reporting to US-CERT; procedures for incident handling and reporting; guidelines for communicating with outside parties on incidents; a reporting staff model with clearly designated internal and external relationships; specific services the incident response team is prepared to provide; and appropriate training in place.

All guidelines for interacting with US-CERT or other organizations following an incident should also be thoroughly documented, recommends NIST--this includes guidance for prioritizing incidents and lessons learned on past incidents. And agencies should be prepared for a broad array of incidents, as well as the most common incidents, such as attacks executed through attachments in email messages or thumb drive-based viruses.

NIST will accept comments on the latest revision via email through March 16, 2012.

For more:
- download NIST SP 800-61 Revision 2 (Draft) (.pdf)

Related Articles:
Private sector cybersecurity info sharing could run roughshod over privacy
DHS takes control of DIB cybersecurity pilot
Cybersecurity threats require public-private partnership, says Langevin