The Department of Defense maintains a comprehensive cyber incident handling program. This program ensures an integrated capability to continually improve the Department of Defense's ability to rapidly identify and respond to cyber incidents that adversely affect DoD information networks and information systems (ISs). It does so in a way that is consistent, repeatable, quality driven, measurable, and understood across DoD organizations. This provides requirements and methodology for establishing, operating, and maintaining a robust DoD cyber incident handling capability for routine response to events and incidents within the Department of Defense.

CYBER INCIDENT HANDLING PROGRAM * Introduction * Roles and Responsibilities * Computer Network Defense Overview * Computer Network Defense Services * Computer Network Defense Sustainment Functions * ENCLOSURE B * CYBER INCIDENT HANDLING METHODOLOGY * Introduction * Cyber Incident Handling Process and Life Cycle * Submit Initial Report * Preliminary Response Actions * Cyber Incident Analysis * Response and Recovery * Post-Incident Analysis * First Responder Guidelines * APPENDIX A TO ENCLOSURE B * CYBER INCIDENT AND REPORTABLE CYBER EVENT CATEGORIZATION * Introduction * Categories * Comparison of DoD and Department of Homeland Security (DHS) * Categories * ENCLOSURE C * CYBER INCIDENT REPORTING * Introduction * Reporting Structures * Operational Reporting Practices * Reporting Vehicles * Reporting Timelines * Reporting Formats * Reporting Considerations * Exercise Reporting * APPENDIX A TO ENCLOSURE C * REPORTING TIMELINES * Introduction * Reporting Timelines * APPENDIX B TO ENCLOSURE C * GENERAL CYBER INCIDENT REPORT FORMAT * General Cyber Incident Report Format * Initial Impact Assessment Matrix * APPENDIX C TO ENCLOSURE C * CYBER INCIDENT REPORTING DIAGRAMS * High-Level Overview of Reporting * Cyber Event Detected by Installation * Cyber Event Detected Within Combatant Command * Cyber Event Detected by External CND Group * Cyber Event Detected by Computer Network Defense Services Provider * ENCLOSURE D * CYBER INCIDENT ANALYSIS * Introduction * Cyber Incident Analysis Framework * Computer Forensics Analysis * System Analysis * Malware Analysis * Network Analysis * Analysis and Correlation of Cyber Event and Cyber Incident Data * Legal Issues * APPENDIX A TO ENCLOSURE D * DELIVERY VECTORS * Introduction * Delivery Vector Categories * APPENDIX B TO ENCLOSURE D * SYSTEM WEAKNESSES * Introduction * Determining Information System Weaknesses * APPENDIX C TO ENCLOSURE D * IMPACT ASSESSMENT MATRIX * Impact Assessment * Levels of Impact * Determining Technical and Operational Impact * Cyber Incident Impact Table * Cyber Incident and Event Potential Impact * ENCLOSURE E * CYBER INCIDENT RESPONSE * Introduction * Types of Responses * Developing and Implementing Courses of Action * Recovering Without Performing Technical Analysis * Containment Eradication Recovery Post-Incident Activity * ENCLOSURE F * COLLABORATION WITH OTHER STRATEGIC COMMUNITIES * Introduction * Operational Cooperation with LE/CI * International Coordination * Intelligence Community * Cyber Unified Coordination Group * APPENDIX A TO ENCLOSURE F * COORDINATION AND DECONFLICTION * Introduction * Types of Operations * APPENDIX B TO ENCLOSURE F * INTELLIGENCE SUPPORT TO CYBER INCIDENT REPORTING * Introduction * Joint Incident Management System (JIMS) * Intelligence Reporting Procedures * Product Dissemination * Writing For Release * USCYBERCOM "Smart Book" * ENCLOSURE G * COMPUTER NETWORK DEFENSE INCIDENT HANDLING TOOLS * Joint Incident Management System (JIMS) * Joint Malware Catalog (JMC) * Cyber Intelligence Analysis Tools * DoD Protected Traffic List * DoD Enterprise Incident Sets * DoD Information Network Deception Projects * Cyber Condition (CYBERCON)