The Cybersecurity and Infrastructure Security Agency on Wednesday published a supplemental manual to its infrastructure resilience planning framework, which provides guidance on how local governments and the private sector can work together to improve the security and resilience of the nation’s critical infrastructure.
The new playbook includes processes and table top exercises to help public and private sectors minimize the impact of cyberattacks on their communities, reduce the risk of disruption to critical services and keep system restoration costs low.
It also outlines key actions for resilience planning, such as establishing incident-response groups, identifying critical infrastructure and those that dependent on it, creating mitigation strategies and integrating solutions into existing protocols.
“Reading through the Playbook process, not only are the IRPF steps articulated with clear inputs and outputs but the additional guidance on resilience concepts will help communities increase their readiness and bounce back quickly after a disaster,” said David Mussington, CISA’s executive assistant director for infrastructure security in the Wednesday announcement.
According to CISA, the nation’s critical infrastructure is comprised of sixteen industry sectors, including defense, energy, agriculture and maritime industries, such as ports, transportation and water treatment facilities, which have been increasingly targeted by cyberattacks from foreign adversaries.
The playbook’s release builds off the CISA’s release in April of proposed incident-reporting requirements for government agencies operating in critical infrastructure sectors. In the 133-page report, the agency said it plans to use the data it receives from incident reports to study cyberattack trends and to inform future strategies to improve resilience.
Some officials have objected to the proposal, arguing that the mandate demands too much from often-understaffed local offices.
On the manual’s website, CISA notes that the new playbook is a voluntary planning resource, and does not carry “any regulations, define mandatory practices, provide a checklist for compliance or carry statutory authority.”