Sorry, you need to enable JavaScript to visit this website.


Office of the Chief Technology Officer

DC Agency Top Menu

-A +A
Bookmark and Share

Incident Response Policy

Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023

1.    Purpose

Establish requirements for effective and efficient identification, reporting, escalation, response to, and evaluation of whether any security compromises or other related incidents that occur within the District of Columbia Government (“District”)’s Information Systems have been resolved.

2.    Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at:

3.    Applicability

This policy applies to all District workforce members (including contractors, vendors, consultants, temporary staff, interns, and volunteers) performing official functions on behalf of the District Government, and/or any District Government agency/District/entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from the District of Columbia Office of the Chief Technology Officer (OCTO). In addition, this policy applies to any provider and third-party entity with access to District information, systems, networks, and applications.

4.    Policy

District agencies and departments must develop or adhere to a strategy which demonstrates compliance with this policy and its related standards. The following outlines the requirements for this policy.

The District's agencies must develop and review or update annually and after change to the policy, a procedure in support of this policy with the following requirements:

4.1.    Incident Response Training
The District agencies provide incident response training to information system users consistent with assigned roles and responsibilities:

4.1.1. The District agencies provide incident response training to information system users consistent with assigned roles and responsibilities:

4.1.2. Provide training before assuming an incident response role or responsibility, when required by information system changes, and annually thereafter.

4.1.3. Provide additional or supplemental IR training when information system changes occur.

4.1.4. Annually thereafter.

4.2.    Incident Response Testing
The District agencies coordinate an annual incident response testing with organizational elements responsible for related plans. 
4.3.    Incident Handling

The District agencies

4.3.1. Must develop, adhere to or adopt within their Incident Management Plans, incident handling capabilities for security incidents that include:

  • Preparation.
  • Detection and Analysis.
  • Containment, Eradication, and Recovery.
  • Post-Incident Activity.
  • Coordinates incident handling activities with contingency planning activities.
  • Lessons learned from incident handling activities shall be incorporated into incident response procedure s, training, and testing/exercises, and implements the resulting changes.

4.4.    Incident Monitoring
The District agencies must develop, adhere to or adopt incident monitoring processes that track and document information asset security incidents on an ongoing basis.
4.5.    Incident Reporting

The District agencies must:

4.5.1.    Require personnel to report suspected security events to the District Security Operations Center (SOC) immediately the event is discovered.

4.5.2.    Report all identified Information Security Incidents to the Office of Information Security

  • Contact the SOC by phone at +1-202-724-2447  
  • Contact the SOC by email at [email protected]

4.6.    Incident Response Assistance
The District agencies must provide incident response support that offers advice and assistance to users of agency-managed information systems for the handling and reporting of security incidents.
4.7.    Incident Response Record Retention
The District agency must retain all documents and data related to an incident according to the agency’s data retention schedule..
4.8.    Incident Response Plan

The District must develop an incident response plan that:

4.8.1.    Provides the organization with a roadmap for implementing its incident response capability.  

4.8.2.    Describes the structure and organization of the incident response capability.  

4.8.3.    Provides a high-level approach for how the incident response capability fits into the District processes.  

4.8.4.    Meets the unique requirements of the District, which relate to mission, size, structure, and functions.

4.8.5.    Is tested at least once every 6 months.

4.8.6.    Defines reportable incidents.

4.8.7.    Provides metrics for measuring the incident response capability within the District.  

4.8.8.    Defines the resources and management support needed to effectively maintain and mature an incident response capability.

4.8.9.    Is reviewed and approved by the Chief Technology Officer who will in turn:

  • Distribute copies of the incident response plan to all the District agencies.
  • Review the incident response plan once every quarter.
  • Update the incident response plan to address system/organizational changes or problems encountered during implementation, execution, or testing of the plan.
  • Communicates incident response plan changes to all the District agencies.
  • Protects the incident response plan from unauthorized disclosure and modification.

5. Exemption

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6. Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.