The IT Law Wiki


Department of Homeland Security, National Cyber Incident Response Plan (Dec. 2016) (full-text).


Response Plan.png

In March 2010, the U.S. Department of Homeland Security issued a draft of the "National Cyber Incident Response Plan." The Plan describes roles, responsibilities, and actions to prepare, respond, and recover from cyber incidents. This is the final version of that Plan.

"The Plan was developed according to the direction of PPD-41 and leveraging doctrine from the National Preparedness System to articulate the roles and responsibilities, capabilities, and coordinating structures that support how the Nation responds to and recovers from significant cyber incidents posing risks to critical infrastructure. The NCIRP is not a tactical or operational plan; rather, it serves as the primary strategic framework for stakeholders to understand how federal departments and agencies and other national-level partners provide resources to support response operations."[1]

Authored in close coordination with government and private sector partners, the NCIRP expounds upon the concurrent lines of effort, defined by PPD-41, for how the Federal Government will organize its activities to manage the effects of significant cyber incidents. The concurrent lines of effort are threat response, asset response, intelligence support, and the affected entity, which undertakes efforts to manage the effects of the incident on its operations, customers, and workforce.

This plan is part of the National Response Framework issued by DHS in 2004 in response to the events in the aftermath of 9/11, which presents the guiding principles that enable first responders, decision makers, and support entities nationwide to provide a unified national response to disasters and emergencies, including cybersecurity incidents.


  1. National Cyber Incident Response Plan, at 4.