Sorry, you need to enable JavaScript to visit this website.


Office of the Chief Technology Officer

DC Agency Top Menu

-A +A
Bookmark and Share

Cyber Security Incident Response Team Policy

Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023

1.  Purpose   

Establish policy for the proper use of District government provided electronic mail (email) services. 

2.  Authority 

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at:

3.  Applicability 

This policy applies to all District workforce members responsible for application identity and role definition on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any provider and third-party entities with access to District information, systems, networks, and applications. 

4.  Policy 

DC agencies must adopt the framework provided in this policy when responding to cybersecurity incidents to ensure that they safeguard the information systems and information technology contained on the internal District of Columbia Wide Area Network (DC Government system).

4.1.  Identification of Incidents

4.1.1.  All users of the DC Government system must refer cybersecurity-related suspicious activities or concerns ("security events") to OCTOHelps or the Security Operations Center (SOC) for the appropriate security review and handling through the following:

  • Contact the SOC by phone at +1-202-724-2447  
  • Contact the SOC by email at [email protected]
  • Contact the OCTOHelps at +1-202-671-1566

4.1.2.  After the security incident is reported to OCTO, or after it is discovered by OCTO's internal monitoring, OCTO will take the following actions:

  • Log and the track reported incidents; and 
  • Take steps to investigate, escalate, remediate, refer, otherwise address the incident.

4.1.3.  Agency Chief lnformation Officers (CIO) and/or Agency Information Security Officers (ISO) must participate in all CSIRT security incident-related communications regarding his or her DC Agency until CSIRT remediates or stabilizes the security incident.

4.2.  Cyber Security Incident Response Team (CSIRT) and Coordinator

4.2.1.  CSIRT Coordinator: OCTO will have a dedicated CSIRT coordinator that is responsible for all communication regarding security incidents. The CSTRT coordinator is responsible for resolving and reporting security incidents and assembling a CSTRT team. The Chief Technology Officer or his or her designee must designate an OCTO employee to serve as the CSIRT coordinator.

4.2.2.  CSIRT Team: The CSIRT coordinator must identify and recruit DC Agency CIOs, DC Agency ISOs, and associated stakeholders to form the CSIRT. The membership of the CSIRT depends upon the severity level of an incident.

4.3.  Security Incident Classification Matrix

OCTO must establish a Security Incident Assessment Classification Matrix ("Matrix") to guide CSIRT's response to each security incident. The Matrix must establish a class of security incidents and specific procedures for responding to each class of security incident. The description of each class of security incidents must also identify the OCTO personnel and DC Agency personnel that must be contacted and engaged to resolve the security incident. The Matrix must establish escalation procedures that identify contact persons within OCTO and, if applicable DC Agencies, to respond to each level of escalation. The Matrix must be included in the Incident Response Plan.

4.4.  Documentation and Communication of Incidents

OCTO will ensure that incidents are appropriately logged and archived. The CSIRT Coordinator will be responsible for communicating the incident to appropriate personnel and provide updates and instruction for the duration of the incident.

4.5.  Subordinate Procedures

The OCTO Chief Information Security Officer (CISO) or IT Security Director must maintain standard procedures to respond to and investigate each security incident. He or she must also secure the custody of any evidence obtained during the investigation. The Incident classification matrix will govern the application of these procedures.

5.  Exemption 

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6.  Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.