Incident Response Playbook

Incident Response Plan

Incident response playbook for OCSI cybersecurity incidents — aligned with NIST SP 800-61 and DFARS 252.204-7012 72-hour reporting requirement.

Document: IRP-2026-001Classification: CUIOwner: Kit E. Floyd, Jr.Last Review: April 3, 2026Prepared By: OCSI Internal (AI-Assisted)
UNTESTED PLAN — NO TABLETOP EXERCISES CONDUCTED

This IR plan exists as documentation only. It has never been exercised through tabletop simulations or real incident response. No external IR partner (external MSSP or equivalent) is currently under retainer. Plan effectiveness is unverified.

Purpose & Scope

This Incident Response Plan establishes procedures for detecting, reporting, containing, eradicating, and recovering from cybersecurity incidents affecting OCSI systems and CUI data. This plan covers all OCSI information systems including the public website, Command Center, and supporting infrastructure.

Key Reference: DFARS 252.204-7012 requires reporting of cyber incidents involving CUI to the DoD Cyber Crime Center (DC3) within 72 hours of discovery.

Incident Response Team
RoleNameResponsibilityContact
IR Lead / Security OfficerKit E. Floyd, Jr.First responder, triage, initial containment, communication coordinationInternal contact list
Executive AuthoritySandra O. FloydDecision authority for major incidents, external communications, legal/regulatory coordinationInternal contact list
External IR PartnerTBD — Not yet engagedTechnical incident response, forensics, evidence preservation, remediation support (external MSSP or equivalent MSSP — engagement pending)Not yet contracted
Business DevelopmentByron BeyClient communication, contract impact assessmentInternal contact list
Incident Categories & Severity
SeverityCategoryExamplesResponse TimeDFARS Report
SEV-1 CriticalCUI CompromiseConfirmed data breach, unauthorized CUI access, credential theft affecting CUI systemsImmediate (within 1 hour)Yes — 72 hours
SEV-2 HighActive AttackOngoing unauthorized access, account takeover, website defacementWithin 4 hoursIf CUI involved
SEV-3 MediumVulnerability / Attempted AttackMultiple failed login attempts, suspicious activity in audit log, new vulnerability discoveredWithin 24 hoursNo (unless escalated)
SEV-4 LowPolicy Violation / AnomalySingle failed login, configuration drift, expired certificate warningWithin 72 hoursNo
Phase 1 — Preparation

Standing Readiness Measures

  • IR team roles and contact information maintained and current
  • External IR partner retainer — not yet engaged (external MSSP or equivalent MSSP)
  • Audit logging enabled on Command Center (authentication events, CRUD, exports, config changes)
  • Security headers deployed and verified monthly
  • Account lockout mechanism active (5 failures → 15-minute lockout)
  • Session timeout configured (30-min inactivity, 8-hr absolute max)
  • Annual tabletop exercise planned — not yet conducted
  • All personnel completed security awareness training (per 3.2.1)
  • Evidence preservation procedures documented (below)
Phase 2 — Detection & Analysis

Detection Sources

  • Audit Log: Failed logins, lockout events, unusual CRUD patterns, bulk exports
  • External Monitoring (Planned): Quarterly vulnerability scan results, threat intelligence alerts � not yet initiated, requires MSSP engagement
  • User Reports: Staff reporting suspicious activity, unauthorized changes, phishing attempts
  • Automated: CSP violation reports, SSL certificate warnings

Analysis Steps

  1. Review audit log for scope and timeline of suspicious activity
  2. Determine if CUI was accessed, modified, or exfiltrated
  3. Identify affected systems and data types
  4. Assign severity level (SEV-1 through SEV-4)
  5. Notify IR team members per escalation matrix
  6. If SEV-1 or SEV-2: Contact external IR partner immediately � IR partner not yet under contract
Phase 3 — Containment

Short-Term Containment

  • Revoke compromised credentials immediately
  • Clear all active sessions (sessionStorage.clear() on affected endpoints)
  • Rotate FTP/cPanel credentials if server access suspected
  • Enable "maintenance mode" on affected pages if needed
  • Preserve audit log — export to secure location before any changes

Long-Term Containment

  • Deploy updated security configurations
  • Strengthen CSP rules if injection vector identified
  • Update credential hashes with new, stronger passwords
  • Implement additional monitoring per external IR partner recommendations
Phase 4 — Eradication & Recovery

Eradication

  • Remove any unauthorized files from server via FTP audit
  • Verify file integrity against known-good deployment baseline
  • Patch or remediate the vulnerability that was exploited
  • External IR partner performs post-containment vulnerability scan (when engaged)

Recovery

  • Redeploy application from clean source using node deploy-godaddy.cjs
  • Verify all security headers active post-deployment
  • Restore CUI data from authorized backup if needed
  • Re-enable user access with new credentials
  • Monitor closely for 72 hours post-recovery
Phase 5 — Post-Incident Activity

Lessons Learned

  • Conduct post-incident review within 5 business days
  • Document: what happened, how it was detected, response actions, timeline, effectiveness
  • Identify improvements to prevention, detection, and response
  • Update this IR plan based on findings
  • Brief all personnel on relevant lessons

DFARS Reporting (CUI Incidents)

  1. Report to DoD via https://dibnet.dod.mil within 72 hours
  2. Preserve all images and forensic evidence for 90 days minimum
  3. Provide DoD access to evidence upon request
  4. Submit malicious software samples to DC3 if applicable
  5. External IR partner assists with evidence packaging and submission (when engaged)
Evidence Preservation Procedures
  1. Audit Log: Export ocsi_audit_log from localStorage to JSON file with timestamp in filename
  2. Browser State: Screenshot all relevant browser console output and network activity
  3. Server Files: Download full site via FTP for integrity comparison against source
  4. Security Headers: Capture current headers via curl -I https://ocsi.co
  5. Chain of Custody: All evidence labeled with: date/time collected, collector name, description, hash of digital evidence
  6. Retention: All incident evidence retained for minimum 90 days (DFARS) or 3 years (organizational policy)
CRITICAL: For any incident involving potential CUI compromise (SEV-1), engage external IR support immediately and begin evidence preservation. The 72-hour DFARS reporting clock starts upon discovery. Note: External IR partner not yet under contract.
Action Required: This plan requires: (1) engage external IR partner, (2) conduct first tabletop exercise, (3) establish evidence preservation procedures with server-side logging. Currently untested documentation only.

© 2026 OUTSOURCE Consulting Services, Inc. — CUI // IRP-2026-001 // NIST 800-171 3.6