Cyber Incident Management and Critical Infrastructure Protection

Cyber Incident Management & Critical Infrastructure Protection is one of the five thematic streams of the GFCE’s work, as codified in the GFCE’s Delhi Communique.

Within this theme, the GFCE facilitates dialogue, collaboration and information sharing on cyber capacity building as it relates to the topics of: national computer security incident response, cyber security exercises, and critical information infrastructure protection.

Working Group B on Cyber Incident Management & Critical Infrastructure Protection

The GFCE’s multistakeholder community comes together to share, shape and form knowledge on specific issues related to Cyber Incident Management and Critical Infrastructure Protection in Working Group B to:

Tools and publications

Publication Date: March 1 2023

Introduction to Tabletop Exercises: a Practical Guidebook for Organizations

This publication seeks to provide guidance in designing, developing and evaluating how and when to conduct a tabletop exercise as a tool to improve an organization’s cyber security policymaking and operations capacities. The guide aims to offer a public-private cross organizational scope. Therefore, it is not written from a strictly business point of view, but […]

Publication Date: October 21 2022

Cyber Incident Management (CIM) Cybil Portal Resources Guide

The Cyber Incident Management (CIM) Cybil Portal Resources Guide is an initiative of the GFCE Working Group B CIM Task Force. The objective of this guide is to provide an overview of all the resources that are available for the CIM community on the Cybil Portal as of October 2022. By doing this, we hope […]

Publication Date: March 2 2022

Towards Identifying Critical National Infrastructures in the National Cybersecurity Strategy Process

This white paper builds upon existing CNI/CII work within the GFCE and proposes some practical considerations and measures for how countries can develop approaches for identifying CNI/CII as part of their NCS development and implementation processes. The paper addresses three foundational elements related to CNI/CII identification in the context of NCS development. A fourth section […]

Publication Date: January 1 2022

Cyber Incident Management in Low-Income Countries

This report discusses the findings and recommendations of the “Cyber Incident Management in Low-Income Countries” project, funded by Global Affairs Canada. The project aims to create a tailorable guide for low-income countries to develop or improve their CSIRT capabilities in an affordable way to respond to the evolving cyber threat environment effectively.The report itself is […]

Publication Date: June 1 2021

GFCE CIIP Capacity Framework

The purpose of this guide is twofold. Firstly, the framework supports the discussion on CIIP and the exchange of good practices by specifying the capacities that may be part of a CIIP approach. Secondly, it provides knowledge to policymakers on how to establish and maintain sustainable and efficient efforts to protect CII by outlining the […]

Publication Date: February 1 2020

Lessons Learned: Cyber Incident Management Capacity Building

Capacity builders focus on their work in a number of different types of initiatives, from short-term maturity and capability assessments and technical training, to providing long-term engagement and advice. These projects often face challenges, which include a lack of awareness of other, existing initiatives, or lack of long-term funding which focuses on short term deliverables. […]

Publication Date: April 1 2021

The Global CSIRT Maturity Framework

The Global CSIRT Maturity Framework is intended to contribute to the enhancement of global cyber incident management capacity, with a focus on national CSIRTs. Cyber incidents and developments are inherently transnational and effective response is dependent upon transnational collaboration. The establishment of national CSIRTs is an essential step to facilitate cyber capacity building both within […]

Publication Date: November 1 2019

CIIP Capacity Framework

An infographic relating to the CIIP Capacity Framework.

Publication Date: October 22 2017

The GFCE-MERIDIAN Good Practice Guide on Critical Information Infrastructure Protection for Governmental Policy-Makers

Critical Information Infrastructure Protection (CIIP) is a complex but important topic for nations. Nations at large critically depend on Critical Infrastructure (CI) services such as energy supply, telecommunications, financial systems, drinking water, and governmental services. Information and communication technologies(ICT)-based services are becoming increasingly important for the functioning of CI. Disruption of information infrastructure is capable […]

Publication Date: October 30 2017

Companion Document to the GFCE-MERIDIAN Good Practice Guide on CIIP

The 2016 GFCE-MERIDIAN Good Practice Guide on Critical Information Infrastructure Protection for governmental policy-makers (hereafter: 2016 GPG) outlined that Critical Information Infrastructure Protection (CIIP) is a complex but important topic for nations. By nature, CIIP is a national security topic in the sense that failure, disruption or destruction of Critical Information Infrastructure (CII) may cause […]

Publication Date: November 21 2017

GFCE Global Good Practices: Critical Information Infrastructure Protection (CIIP)

The unprecedented uptake of ICT worldwide leads to a growing dependency of economic sectors, public institutions and societies as a whole. Multiple recent outbreaks of hostage-taking software (ransomware) have shown the criticality of ICT for sectors such as transport and healthcare. Attention for the security and continuity of critical ICT is crucial to the well-being […]

Publication Date: November 21 2017

GFCE Global Good Practices – National Computer Security Incident Response Teams (CSIRTs)

Even the best cyber security posture and practices cannot guarantee that key organisations and information infrastructures within a nation will not be vulnerable to malware, software failures, human errors, and other mishaps. The cyber threat landscape changes rapidly. Cyber incidents occur on a daily basis and may be of cross-border, multinational and often even global […]

Publication Date: October 1 2017

Produce and Present Trusted Metrics about Systemic Risk Conditions

A statistics platform, featuring metrics and data visualisation, allows for the measurement of key indicators of malicious activity and risk conditions, and enables analytical insight about patterns, priorities, and trends for action. Such intelligence can be used by the CERT/CSIRT community, security sector, corporations, and organisations. If the metrics are regularly published in reports about […]

Publication Date: October 1 2017

Establish a Clearinghouse for Gathering Systemic Risk Conditions Data in Global Networks

Internet networks are replete with systemic vulnerabilities. CERTs and other trusted  operators require reliable information about their network’s health over time. Various organisations have set up systems to scan networks for vulnerabilities and/or monitor cyber-attacks. Many of these sources are open, but their provenance and collection processes are often opaque. To acquire a truly satisfactory […]

Publication Date: April 8 2015

CSIRT Maturity Kit

The purpose of this CSIRT Maturity Kit is to help emerging and existing Computer Security Response Teams (CSIRTs) to increase their maturity level. This is achieved by offering a set of best practices that cover CSIRT governance, organisation and operations. The document that is presented now provides a starting point to guide CSIRTs through this […]

GFCE Secretariat Representative

Contributions to Cybil Portal






Coordinated Vulnerability Disclosure

CVD is a platform to GFCE members to share experiences and lessons learned in cyber security mechanisms for responsible disclosure or coordinated vulnerability disclosure policies and discussions on the broader topic of ethical hacking. Coordinated Vulnerability Disclosure (CVD) pertains to the mechanisms by which vulnerabilities are shared and disclosed in a controlled way. It provides […]

Critical Information Infrastructure Protection Initiative

The GFCE-Meridian initiative aims to support government policy makers with responsibility for Critical Information Infrastructure Protection (CIIP) to understand the implications and consequences of cybersecurity issues and to maintain an awareness of current developments. By working together in a global initiative, the initiators leverage their CIIP expertise for the benefit of a broader audience to […]

CSIRT Maturity Initiative

The objective of the Cyber Security CSIRT Maturity Initiative is to provide a platform to GFCE members to help emerging and existing CSIRTS to increase their maturity level. The expertise includes the following: Initiated by the Netherlands, ITU, OAS, Microsoft, FIRST and open for others to join. Deliverables Documents


The CyberGreen initiative is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem. CyberGreen will achieve this by providing reliable metrics, measurements, and mitigation best practices to Cyber Security Incident Response Teams (CSIRTs), network operators, and policy makers. These efforts will facilitate operational cleanup […]

The Cyber Surakshit Bharat Initiative

Countries  today face new and emerging challenges in cyber security  that range from a constantly shifting threat landscape to managing multiple platforms and devices in the environment. The modern threat landscape has never been more challenging – driving tremendous costs and risk to the security of critical information. Security breaches can take 200+ days to […]