Presidential Policy Directive 41

Presidential Policy Directive 41 (PPD-41) titled "United States Cyber Incident Coordination" is a Presidential Policy Directive signed by President of the United States Barack Obama on 26 July 2016 that sets forth principles governing the Federal Government’s response to cyber incidents involving government or private sector entities. Its annex has subject "Federal Government Coordination Architecture for Significant Cyber Incidents".

Content
PPD-41 lays out several principles guiding the Federal Government's response to cyber incidents, including Shared Responsibility, Respecting Affected Entities, Risk-Based Response, and Unity of Governmental Effort. In addition to these principles, PPD-41 provides that the Federal Government shall undertake three concurrent lines of effort in response to cyber incidents:


 * Threat Response, which involves conducting appropriate law enforcement and national security investigative activity at the affected entity’s site, collecting evidence and gathering intelligence, and providing attribution.
 * Asset Response, which includes furnishing technical assistance to affected entities to protect their assets, mitigate vulnerabilities, and reduce impacts of cyber incidents.
 * Intelligence Support, which entails facilitating the building of situational threat awareness and sharing of related intelligence, the integrated analysis of threat trends and events, and identifying knowledge gaps.

When a cyber incident rises to the level of significant cyber incident, PPD-41 requires additional coordination within the federal government. Significant cyber incident is defined by PPD-41 as a cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

In the event of a significant cyber incident, PPD-41 designates lead federal agencies for each of the lines of effort. The lead agencies are the Federal Bureau of Investigation (threat response), Cybersecurity and Infrastructure Security Agency (asset response), and the Office of the Director of National Intelligence (intelligence support). In addition, PPD-41 provides that a Cyber Unified Response Group (Cyber UCG) will be formed to coordinate between and among federal agencies. The Cyber UCG is composed of the lead agencies for threat response, asset response, and intelligence support, as well as any other agencies responsible for critical infrastructure sectors impacted by the incident. Non-federal entities, such as state, local, tribal, or territorial governments, nongovernmental organizations, international governments, or private sector companies may also participate if the scope, nature, or facts of the significant cyber incident require it.

Finally, PPD-41 requires that a Cyber Response Group (CRG) headed by the National Security Council shall coordinate the development and implementation of U.S. Government policy and strategy with respect to significant cyber incidents.

History and Usage
PPD-41 has been called "evolutionary, not revolutionary," as it codified best practices for collaboration that had organically developed between federal agencies. Other governmental policy structures have built upon PPD-41, including the Cyber Safety Review Board, which reviews and assesses significant cyber incidents as defined by PPD-41.

Cyber UCGs under PPD-41 were invoked several times by the Obama administration, to address threats to national cybersecurity.

The succeeding Trump administration, which took office in January 2017, did not invoke the directive at all until 15 December 2020. On that occasion, PPD-41 was invoked in a statement by the National Security Council announcing the creation of a Cyber Unified Coordination Group "to ensure continued unity of effort across the United States Government" in response to the 2020 United States federal government data breach.