IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

How to Recover from Cyber Incidents in Government

What actions do organizations need to take to prepare for cybersecurity incidents? The National Institute of Standards and Technology (NIST) has answers in Special Publication 800-184, titled: 'Guide for Cybersecurity Event Recovery.' Here’s an exclusive interview with one of the authors.

Public- and private-sector organizations have experienced numerous major incidents related to cybersecurity over the past few years. Indeed, many experts claim it is just a matter of time before everyone experiences a data breach or significant cyberevent such as a widespread ransomware infection.

So how can the public sector prepare for cybersecurity events that have the potential to disrupt their critical operations? Governments are known for their actions using Federal Emergency Management Agency (FEMA) response and recovery guidance for natural disaster situations such as in Hurricane Harvey, but cybersecurity incidents are certainly different in many respects. How should organizations prepare now to recover when events happen?

In many state and local governments, this topic has been on the front burner for several years, leading the National Association of State Chief Information Officers (NASCIO) to create a Cybersecurity Disruption Response Planning Guide last year, that includes best practices from many jurisdictions.

States like Michigan are now on their second version of their cyberdisruption response plans. The Michigan actions include involvement from public and private entities that are involved in protecting critical infrastructure at the local, state and national levels. I covered more details on this state-specific cyberplanning efforts several years ago.

Michigan even brings in their Cyber Civilian Corp if the governor declares a cyberemergency, and these mechanisms are now written into law. However, the training, planning and preparation for these events come well before any cyber emergency. States like Michigan even hold annual cybertabletop exercises to practice for potential disruption scenarios.

Federal Government Cyberevent Planning

But what about national guidance on planning for cyberincidents for the federal government and others? Most public- and private-sector organizations look to the National Institute of Standards and Technology (NIST) to do the required research to provide guidance and direction, in the same way that they developed, released and updated the Cybersecurity Framework.

Fortunately I have some good news for you.

Back in mid-October, I sat on the ransomware panel at CyberMaryland in Baltimore, and I sat next to Michael (Mike) Bartock on the panel from NIST.

Mr. Bartock is an IT specialist in the Computer Security Division in the Information Technology Laboratory at the National Institute of Standards and Technology. He performs applied cybersecurity research specializing in hardware roots of trust to enforce policy-based cloud workload migration, LTE backhaul protection, and derived personal identity verification (PIV) credentials. His work focuses on collaborating with industry partners to build and implement proof of concept reference architectures. He has experience in managing virtualized environment, cloud computing, software development, cryptography, derived PIV credentials, and LTE security for public safety networks. He received his bachelor's in mathematics from the University of Maryland.

Many of Mike’s answers on ransomware and other cyberincidents referenced NIST SP 800-184, which is a guide that came out in December 2016 regarding cybersecurity event response and recovery. The title of the document is: Guide for Cybersecurity Event Recovery.

“The purpose of this document is to support organizations in a technology-neutral way in improving their cyberevent recovery plans, processes and procedures, with the goal of resuming normal operations more quickly. This document extends, and does not replace, existing federal guidelines regarding incident response by providing actionable information specifically on preparing for cyberevent recovery and achieving continuous improvement of recovery capabilities. It points readers to existing guidance for recovery of information technology.”

Here’s how the NIST introduces this cybersecurity topic at their website: “Defense! Defense!” may be the rallying cry from cybersecurity teams working to thwart cybersecurity attacks, but perhaps they should be shouting “Recover! Recover!” instead.

The helpful NIST guide offers sections including an executive summary, purpose and scope, planning for cyberevent recovery, continuous improvement, recovery metrics, building a playbook, some example scenarios and several appendix checklists for your playbooks — including references. Note: You can see the outline for the table of contents at the end of this blog.

I was very impressed with Mike’s panel answers, so I asked him if he would be willing to be interviewed for my blog. He agreed, so I offer that exclusive interview to you below.

Interview With Michael Bartock — NIST SP 800-184 Co-Author


Dan Lohrmann (DL): Why is it important for organizations to prepare in advance for cybersecurity incidents?

Mike Bartock (MB): This is straight from NIST SP 800-184: “Preparation enables rapid recovery from incidents when they occur and helps to minimize the impact on the organization and its constituents. Additionally, continually improving recovery planning by learning lessons from past events, including those of other organizations, helps to ensure the continuity of important mission functions.”

When a cybersecurity event occurs, organizations should be ready to act as quickly and efficiently as possible to ensure they fully recover from the event.  Being prepared ahead of time gives the organization and its employees time to fully think out strategies and plans to perform their recovery activities.  They also should test and practice these plans to ensure they work as designed, and to lessen the time it takes to perform them.

DL: What is the background on NIST SP- 184? Why was it written and who was involved?

MB: The background from NIST SP 800-184 is from the Cybersecurity Strategy Implementation Plan (CSIP), OMB M-16-04 of October 30, 2015, in which the goal was to implement a number of immediate high priority actions to enhance the cybersecurity of Federal information and assets. The CSIP was developed by the “Sprint Team” (OMB, NSC, DHS, DoD, and Federal civilian and defense agencies). Specific to cybersecurity event recovery, it desired to produce guidance for rapid recovery from incidents when they occur and accelerated adoption of lessons learned from the Sprint assessment. NIST was given to the action to provide updated guidance to agencies by June 30, 2016, on how to recover from a cyber event, focusing on potential scenarios to include, but not limited to, a data breach or a destructive malware campaign. NIST staff researched best practices and guidance on how to recover from cybersecurity events, which was often disparate and spread out across many different resources.  During the development of NIST SP 800-184, NIST held workshops and meetings to gather input and feedback from industry, academia, and government.

DL: You address quite a few topics regarding enterprise resiliency, metrics, recovery and more. Which area(s) do you feel were / are most ground-breaking and helpful? Why?

MB: NIST 800-184 stresses the importance of being prepared to recover from a cybersecurity event.  The upfront work that can be done to ensure proper plans are in place to recover from cybersecurity events in a timely manner is very important.  This includes having not only technical plans in place, but also organizational and communications plans in place so that there is a well-defined process to follow after a cybersecurity event occurs.  This preparation leads to much less confusion during the recovery process.  Another important topic is the notion of continuous improvement of the recovery plan.  Performing regular tests and exercises of the recovery plans helps to ensure that an organization can successfully recover from a cybersecurity event after it happens.

DL: Do most federal agencies follow this guidance? Is this a set of recommended or mandatory requirements?

MB: NIST cannot speak on behalf of other federal agencies, and how they take NIST guidance and implement it.  NIST does not mandate standards and guidelines, and currently there is no directive mandating use of NIST SP 800-184 for federal agencies.

DL: How important is SP-184 for state and local governments and the privates sector? 

MB: As with any NIST guidance, NIST 800-184 is targeted for federal government agencies. However, it is intended be useful for other organizations, whether they be state or local governments or the private sector.

DL: In our panel at CyberMaryland 2017 on ransomware, you brought up several examples of how NIST guidance (including SP-184 and other documents) can help organizations prepare for, respond to and recover from ransomware and other malware attacks. Can you elaborate?

MB: NIST SP 800-184 lays out how to develop a cybersecurity recovery plan.  This plan incorporates how to assemble the recovery teams and creating a communications plan for internal and external stakeholders. This could involve working closely with the incident response team to make sure that the malware has been fully eradicated from the organization before the recovery process begins so that it does not reoccur.  For specific types of cybersecurity events, individual playbooks should be created that contain technical and procedural steps for performing the recovery.  For example, if an organization is recovering from a ransomware attack they can focus on using recent and un-impacted backups to recover from the ransomware attack.

DL: Any stories you can share about how SP-184 has been implemented and helped federal agencies and/or other organizations?

MB: There is nothing specific right now that I can speak to regarding this.

DL: Where do you see this wider topic of incident response from security incidents heading in 2018 and beyond? Is an updated version coming and/or related materials?

MB: There is NIST SP 800-61 Revision 2 that was published in August 2012 that provides guidance on incident handling, whereas NIST SP 800-184 was finalized in December 2016.  NIST has in place a process for reviewing documents on when they need to be updated or revised.

DL: Thank you Mike for agreeing to answer my questions regarding this important guidance.

Final Thoughts

There has been a lot of discussion in the technology and cybersecurity industries about whether data breaches are inevitable. This article discusses thoughts on this security paradox. Here’s an excerpt: Those arguing for more investments in new technologies to stop breaches point to the National Institute of Standards and Technology (NIST) Cybersecurity Framework to make their case. The framework includes five core functions: identify, protect, detect, respond and recover. …

Build your security priorities around all five NIST Cybersecurity Framework functions.”

Nevertheless, NIST SP 800-184 can help your organization prepare for when cybersecurity events do occur.



Note: Full NIST SP 800-184 document is available in PDF format at:

Also, the helpful appendices are not shown in this image of the table of contents.


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.