Skip to main content

Oregon State Flag An official website of the State of Oregon »

Cyber Disruption Plan

Cyber disruptions have the potential to greatly affect Oregon citizens and businesses negatively. The Oregon Cyber Disruption Response and Recovery (OCDR) - Voluntary Resource Guide for Local Government provides a common framework for responding to cyber threats impacting Oregon government and enables all levels of Oregon government to rapidly coordinate a cyber disruption response, minimizing the impact in Oregon.

There is no regulatory obligation to implement the OCDR; implementation is voluntary and intended to support Oregon whole-of-government by identifying resources, providing templates, and building community.

Prepare for a Cyber Disruption

Oregon has established an Oregon “Whole of Government Community" Cyber Disruption Response and Recovery (OCDR) - Voluntary Resource Guide. This plan brings the governing entities within Oregon together for an inclusive cybersecurity ecosystem. The Whole Community collaboration provides the greatest defense, response, and rapid recovery against cyber disruption. The OCDR can be downloaded below.

Step 1: Identify your cyber response team

Clarify who the key players are, outline roles and responsibilities, and clearly identify which individuals have the authority to take critical response actions. Document how to contact team members 24/7, designate an alternate for key roles, and outline a cadence for how and when the team will convene and deliver updates. First Response Team: Includes the Cyber Response Manager and other IT/OT security staff to investigate an incident. Cyber Response Steering Committee: Typically includes business executive leadership, CIO or senior IT management, information security officer, and Legal Counsel (or their designees) to confirm a cyber incident/disruption and oversee response. Full Cyber Response Team: A complete list of individuals and roles that can be engaged as needed to scale-up and support response such as 1) internal: Public Information Officers, Human Resources, Financial Officer, and Emergency Manager and 2) external: other government cyber response organizations, cyber insurance, and law enforcement.

Step 2: Identify contacts and response service contracts for cybersecurity service providers and equipment vendors

Keep an updated list of vendor contacts and the support they can provide if a vulnerability is identified in vendor equipment. Identify a contact person for the Internet Service Provider (ISP). If incident investigation, forensic analysis, or other forms of incident response support, is contracted out to a third party, identify the contact person, determine the process for engaging their support, and identify the person on the Cyber Response Team who is authorized to engage their services. Determine the expected response timelines for each partner.

Step 3: Understand systems and environment

Document where system maps, logs, and inventories are kept and maintained (both online and hard copy), along with the person(s) who has the credentials to access them. Document access credentials and procedures for removing access or providing temporary access to cyber responders.

Step 4: Outline reporting requirements and timelines

Depending on the type or severity of cyber incident/disruption, there may be requirements to report to regulatory agencies and local/state/federal officials, often within the first 24 hours, and sometimes as little as 6 hours. Determine your legal and contractual obligations to report incidents/disruptions to federal/state/local officials, insurance providers, and other third parties.

Step 5: Identify response procedures

Document procedures for investigation and documentation, containment actions for various types of attacks, and procedures for cleaning and restoring systems. Identify and pre-position the resources needed to preserve evidence, make digital images of affected systems, and conduct a forensic analysis, either internally or with the assistance of a third-party expert. Identify the external response organizations—including law enforcement, information sharing organizations, and cyber mutual assistance groups—that might engage during cyber incident response, particularly for when resources and capabilities are exceeded. Identify key contacts within external response organizations and build personal relationships in advance. Determine how much information to share and when. Document who has the authority to engage these organizations and at what point they should be notified.

Step: 6 Develop strategic communication procedures

Identify the key internal and external communications stakeholders, what information to communicate and when, and what situations warrant internal communication with employees and public communication with citizens and the media. Develop key messages and notification templates in advance.

Step 7: Define legal team response

Cyber response should be planned, coordinated, and executed under the guidance of the legal team. Procedures to promptly alert the legal team of a cyber incident/disruption need to be in place. To ensure compliance and preserve the legal posture, the legal team should be directly involved with the investigation, documentation, and reporting.

Step 8: Exercise and train staff

Staff should be trained on cyber response processes and procedures regularly. Cyber response exercises or participation in industry exercises should be conducted frequently to test cyber response preparedness.

Notify EIS Cyber Security Services (CSS) of a Cyber Disruption

When to notify

If you are experiencing a cyber disruption, notifying CSS is recommended, whether you need assistance or not. Notification can occur at various stages, even when complete information is not available.
Notification allows correlations of cyber events across the state to identify coordinated attacks or attack trends, access to mitigation measures and expertise from similar attacks, and cyber response support.

What to report

Helpful information includes:

  • Who you are
  • Who experienced the incident
  • What sort of incident occurred
  • How and when the incident was initially detected
  • What response actions have already been taken
  • Who has been notified

Who to notify

Cyber Security Services Security Operations Center

Phone: 503-378-5930

For your situational awareness

CSS will share de-identified information with Trusted Partners for situational awareness. Trusted Partners are Oregon Emergency Management, Titan Fusion Center, MS-ISAC, CISA, and National Guard.

Proactive and Reactive Services

This Service Matrix provides a high-level picture of services and provider of the service available to government organizations. Appendix A provides additional details along with contact information. Oregon government agencies can utilize these resources and services, and many are free of charge.




Dual Role

Cyber Security Services (CSS)

Office of Emergency Management (OEM)

Cybersecurity Infrastructure Security Agency (CISA)

Multi State- Information Sharing & Analysis Center (MS-ISAC)

Oregon Titan Fusion Center

Oregon National Guard


Advisories/Threat Notification






CIS SecureSuite Membership




Continuity Planning


Cyber Assessments



Cyber Exercise Planning



Cyber Training/Education Resources




Cyber Vendor Contracts


Malicious Domain Blocking


Managed Security Services


Network Monitoring


Penetration Testing



Phishing Campaign Assessments


Risk & Vulnerability Assessment


Validated Architecture Design


Vulnerability Scanning



Web Application Scanning








Emergency Declaration


Incident Response Assistance




Malicious Code Analysis Platform


Malware Analysis



Vulnerability Assessment


Vulnerability Management Program



Templates are a starting point. Each organization will need to alter to fit its business needs and to meet legal sufficiency.

Partner Organizations

Cyber Threat Intelligence Integration Center (CTIIC)

Operated by the Office of the Director of National Intelligence, the CTIIC is the primary platform for intelligence integration, analysis, and supporting activities for the Federal Government. CTIIC also provides integrated all-source analysis of intelligence related to foreign cyber threats or related to cyber incidents affecting U.S. national interests.
Visit the Cyber Threat Intelligence Integration Center (CTIIC) website

National Cybersecurity and Communications Integration Center (NCCIC)

Response activities include furnishing technical assistance to affected entities to protect their assets, mitigate vulnerabilities, and reduce impacts of cyber incidents and identifying other entities that may be at risk and assessing their risk to the same or similar vulnerabilities. NCCIC assesses potential risks to the sector or region, including potential cascading effects, and developing courses of action to mitigate these risks and facilitates information sharing and operational coordination with threat response.
Visit the National Cybersecurity and Communications Integration Center (NCCIC) website

U.S. Cyber Command (USCYBERCOM) Joint Operations Center (JOC)

The USCYBERCOM JOC directs the U.S. military’s cyberspace operations and defense of the Department of Defense Information Network (DoDIN). USCYBERCOM manages both the threat and asset responses for the DoDIN during incidents affecting the DoDIN and receives support from the other centers, as needed.
Visit the U.S. Cyber Command (USCYBERCOM) Joint Operations Center (JOC) website

U.S. Secret Service

National network of Electronic Crimes Task Forces, which combine the resources of academia, the private sector, and SLTT law enforcement to prevent, detect, and investigate electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.
Visit the U.S. Secret Service website

United States Computer Emergency Readiness Team

United States Computer Emergency Readiness Team coordinating defense against and response to cyber attacks. US-CERT is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities.
Visit the United States Computer Emergency Readiness Team website


FirstNet mission is to deploy, operate, maintain, and improve the first high-speed, nationwide wireless broadband network dedicated to public safety.
Visit the FirstNet website


Oregon's Cyber Disruption Plan

State of Oregon Incident Response Plan

Oregon Emergency Operations Plan, Annex 10, Cyber Security

Oregon Cooperative Procurement Program

National Cybersecurity Review (NCSR)

The Nationwide Cybersecurity Review is a no-cost, anonymous, annual self-assessment designed to measure gaps and capabilities of state, local, tribal and territorial governments’ cybersecurity programs. It is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), is sponsored by the Department of Homeland Security (DHS) & the Multi-State. Information Sharing and Analysis Center® (MS-ISAC®). 

DotGov Program

Part of the General Services Administration, operates the .gov top-level domain (TLD) and makes it available to US-based government organizations, from federal agencies to local municipalities. Using a .gov domain shows you're an official government organization.


Federal Emergency Management Agency (DHS/FEMA) Emergency Management Institute (EMI) offers a variety of in-residence and online courses in incident management and security and emergency management, including several on continuity and disaster recovery. Visit for more information.

The SANS Institute provides specialized information technology training resources delivered in a variety of formats. Visit for more information.

The International Information Systems Security Certification Consortium (ISC2) offers a number of training and certification (with concentrations) options including the industry leading Certified Information Systems Security Professional (CISSP) designation. Visit for more information.

The Federal Virtual Training Environment (FedVTE) provides free online cybersecurity training to federal, state, local, tribal, and territorial government employees, federal contractors, and US military veterans. Visit to view the course catalog.


The National Cybersecurity and Communications Integration Center (NCCIC) develops and supports integrated cyber incident response plans and guidance and cyber-focused exercises for governmental and critical infrastructure partners. Visit for more information.

Download the Cyber Disruption Plan

The Cyber Disruption Plan covered on this page is also available for download in its entirety or in part: