Why CISA Guidance Matters

The Cybersecurity and Infrastructure Security Agency (CISA) is the nation's risk advisor for 16 critical infrastructure sectors. CISA provides free exercise guidance, templates, and support to help organizations strengthen cyber resilience. Following CISA methodology ensures interoperability across sectors and alignment with federal expectations for critical infrastructure protection.

Critical infrastructure sectors

Exercise types in HSEEP

Planning steps

CISA Exercise Program Overview

CISA's Homeland Security Exercise and Evaluation Program (HSEEP) defines a progressive series of exercises designed to build and validate capabilities over time:

The CISA Exercise Progression

Five exercise types from discussion-based to operations-based

Orientation Seminar

Discussion-Based

Introduce and overview new or updated plans, policies, or procedures

Characteristics:

Primarily informational
Low-stress environment
Typically 2-3 hours
Good for awareness building

WHEN TO USE:

After deploying new IR plan or procedures

PARTICIPANTS:

All stakeholders including non-technical staff

Workshop

Discussion-Based

Build consensus and develop plans through working groups

Characteristics:

Interactive and collaborative
Produces tangible output (updated plans)
Typically half-day to full-day
Focused on problem-solving

WHEN TO USE:

When developing new procedures or updating existing ones

PARTICIPANTS:

Subject matter experts and planners

Tabletop Exercise (TTX)

Discussion-Based

Evaluate plans, policies, procedures through simulated incident

Characteristics:

Scenario-driven discussion
Tests decision-making
2-4 hours typically
Identifies gaps in procedures

WHEN TO USE:

Regular validation of IR capabilities (quarterly)

PARTICIPANTS:

Decision-makers and key personnel

Drill

Operations-Based

Test and validate specific capabilities in isolation

Characteristics:

Focused on single function
Hands-on execution
Examples: backup restoration, communication trees
Measurable pass/fail criteria

WHEN TO USE:

Component testing of technical capabilities

PARTICIPANTS:

Technical staff executing the specific capability

Full-Scale Exercise

Operations-Based

Validate all capabilities in realistic, complex scenario

Characteristics:

Comprehensive and resource-intensive
Simulates real-world conditions
Tests coordination across organizations
Multi-day events

WHEN TO USE:

Annual comprehensive readiness validation

PARTICIPANTS:

All stakeholders, often multi-organizational

CISA Tabletop Exercise Planning Process

8-step HSEEP planning methodology

Establish Exercise Planning Team

Foundation8-12 weeks before exercise

Identify planning team members, assign roles, schedule planning meetings

Key Deliverables:

Planning team rosterMeeting scheduleRoles and responsibilities

Define Scope and Objectives

Foundation8-12 weeks before exercise

Determine what capabilities will be tested and what success looks like

Key Deliverables:

SMART objectivesScope statementCore capabilities list

Develop Scenario

Design6-8 weeks before exercise

Create realistic scenario that drives toward exercise objectives

Key Deliverables:

Master scenario events list (MSEL)Scenario narrativeInjects

Develop Exercise Documentation

Design4-6 weeks before exercise

Create exercise plan, situation manual, evaluation guides

Key Deliverables:

Exercise planSitManEvaluation guidesController/evaluator handbook

Coordinate Logistics

Preparation2-4 weeks before exercise

Arrange facilities, materials, technology, participant notifications

Key Deliverables:

Participant invitationsFacility arrangementsTechnology setup

Conduct Exercise

ExecutionExercise day

Execute the tabletop exercise according to plan

Key Deliverables:

Exercise executionController notesObserver notes

Evaluate Performance

EvaluationDuring and immediately after

Assess performance against objectives, identify strengths and gaps

Key Deliverables:

Evaluation notesHot wash notesParticipant feedback

Develop After-Action Report

Improvement2-4 weeks after exercise

Document findings, recommendations, improvement plan

Key Deliverables:

After-Action Report (AAR)Improvement Plan (IP)Corrective actions

Critical Infrastructure Focus

CISA recognizes 16 critical infrastructure sectors. Tabletop exercises should consider sector-specific threats and cross-sector dependencies:

⚡

Energy

Grid disruption, SCADA/ICS attacks, NERC CIP compliance

🏥

Healthcare

Patient data breaches, medical device security, HIPAA compliance

🏦

Financial Services

Payment system disruption, fraud, PCI DSS compliance

✈️

Transportation

Operational technology attacks, GPS spoofing, TSA requirements

💧

Water/Wastewater

SCADA attacks, treatment disruption, EPA compliance

📡

Communications

Network outages, data interception, FCC requirements

🏛️

Government

Classified data, citizen data breaches, FISMA compliance

🏭

Manufacturing

OT/IT convergence, IP theft, supply chain attacks

Cross-Sector Dependencies

CISA emphasizes testing cross-sector coordination. Example scenario: "Ransomware attack on healthcare organization also disrupts communications (VoIP) and energy (backup generators offline). How do you coordinate response across sectors and with CISA?"

CISA Evaluation Methodology

CISA provides standardized evaluation guides that assess performance against core capabilities:

Planning

• Are plans current and accessible?
• Do participants know their roles?
• Are procedures clear and actionable?

Operational Coordination

• Is communication timely and effective?
• Are decision-making authorities clear?
• Is coordination with external entities effective?

Intelligence & Information Sharing

• Is information shared appropriately?
• Are reporting procedures followed?
• Is threat intelligence integrated?

Operational Communications

• Are backup communications available?
• Can teams communicate during outages?
• Are communication protocols followed?

Public Information & Warning

• Are messages timely and accurate?
• Is coordination with PIO effective?
• Are stakeholders appropriately informed?

Cybersecurity

• Are cyber threats detected quickly?
• Are response actions appropriate?
• Is recovery timely and complete?

CISA Resources and Support

Free tools and assistance available from CISA

Exercise Starter Kits

Pre-built scenarios, templates, and planning guides for common threat scenarios

How to Access:

Download from cisa.gov/exercise-starter-kits

Includes:

Scenario templatesMSEL templatesSitMan templatesAAR templates

CISA Exercise Support

Free facilitation support and subject matter experts for exercises

How to Access:

Request via cisa.gov/request-exercise-support

Includes:

Exercise planning assistanceFacilitatorsEvaluatorsPost-exercise support

Cyber Exercise Playbook

Detailed guidance on planning and conducting cyber exercises

How to Access:

Download from cisa.gov/cyber-exercise-playbook

Includes:

Best practicesSample scenariosFacilitation tipsEvaluation guides

After-Action Report Templates

Standardized formats for documenting exercise results

How to Access:

Available at hseep.dhs.gov

Includes:

AAR formatImprovement plan formatCorrective action tracking

Reporting to CISA

Critical infrastructure organizations should consider sharing exercise findings with CISA to contribute to national resilience:

When Required

• If exercise reveals reportable incident
• If funded by CISA grants
• If CISA support was provided

When Encouraged

• Significant capability gaps identified
• Cross-sector coordination tested
• Novel attack vectors simulated

When Optional

• Internal exercises
• Routine testing
• Vendor-led exercises

CISA-Aligned Tabletop Exercises

Breakpoint scenarios follow CISA HSEEP methodology and include sector-specific scenarios for all 16 critical infrastructure sectors. Generate CISA-compliant After-Action Reports automatically.

Start Free Trial Government Solutions

Creating Effective Tabletop Exercise Scenarios

The Goldilocks Principle for scenario design, 5-layer model, and inject techniques

How to Test Your Incident Response Plan

The IR Testing Pyramid, 5 testing methods, and annual testing calendar

NIST Incident Response Framework Guide

4 NIST phases and key incident response metrics (MTTD, MTTA, MTTC, MTTR)

Why CISA Guidance Matters

Critical infrastructure sectors

Exercise types in HSEEP

Planning steps

CISA Exercise Program Overview

CISA's Homeland Security Exercise and Evaluation Program (HSEEP) defines a progressive series of exercises designed to build and validate capabilities over time:

The CISA Exercise Progression

Five exercise types from discussion-based to operations-based

Orientation Seminar

Discussion-Based

Introduce and overview new or updated plans, policies, or procedures

Characteristics:

Primarily informational
Low-stress environment
Typically 2-3 hours
Good for awareness building

WHEN TO USE:

After deploying new IR plan or procedures

PARTICIPANTS:

All stakeholders including non-technical staff

Workshop

Discussion-Based

Build consensus and develop plans through working groups

Characteristics:

Interactive and collaborative
Produces tangible output (updated plans)
Typically half-day to full-day
Focused on problem-solving

WHEN TO USE:

When developing new procedures or updating existing ones

PARTICIPANTS:

Subject matter experts and planners

Tabletop Exercise (TTX)

Discussion-Based

Evaluate plans, policies, procedures through simulated incident

Characteristics:

Scenario-driven discussion
Tests decision-making
2-4 hours typically
Identifies gaps in procedures

WHEN TO USE:

Regular validation of IR capabilities (quarterly)

PARTICIPANTS:

Decision-makers and key personnel

Drill

Operations-Based

Test and validate specific capabilities in isolation

Characteristics:

Focused on single function
Hands-on execution
Examples: backup restoration, communication trees
Measurable pass/fail criteria

WHEN TO USE:

Component testing of technical capabilities

PARTICIPANTS:

Technical staff executing the specific capability

Full-Scale Exercise

Operations-Based

Validate all capabilities in realistic, complex scenario

Characteristics:

Comprehensive and resource-intensive
Simulates real-world conditions
Tests coordination across organizations
Multi-day events

WHEN TO USE:

Annual comprehensive readiness validation

PARTICIPANTS:

All stakeholders, often multi-organizational

CISA Tabletop Exercise Planning Process

8-step HSEEP planning methodology

Establish Exercise Planning Team

Foundation8-12 weeks before exercise

Identify planning team members, assign roles, schedule planning meetings

Key Deliverables:

Planning team rosterMeeting scheduleRoles and responsibilities

Define Scope and Objectives

Foundation8-12 weeks before exercise

Determine what capabilities will be tested and what success looks like

Key Deliverables:

SMART objectivesScope statementCore capabilities list

Develop Scenario

Design6-8 weeks before exercise

Create realistic scenario that drives toward exercise objectives

Key Deliverables:

Master scenario events list (MSEL)Scenario narrativeInjects

Develop Exercise Documentation

Design4-6 weeks before exercise

Create exercise plan, situation manual, evaluation guides

Key Deliverables:

Exercise planSitManEvaluation guidesController/evaluator handbook

Coordinate Logistics

Preparation2-4 weeks before exercise

Arrange facilities, materials, technology, participant notifications

Key Deliverables:

Participant invitationsFacility arrangementsTechnology setup

Conduct Exercise

ExecutionExercise day

Execute the tabletop exercise according to plan

Key Deliverables:

Exercise executionController notesObserver notes

Evaluate Performance

EvaluationDuring and immediately after

Assess performance against objectives, identify strengths and gaps

Key Deliverables:

Evaluation notesHot wash notesParticipant feedback

Develop After-Action Report

Improvement2-4 weeks after exercise

Document findings, recommendations, improvement plan

Key Deliverables:

After-Action Report (AAR)Improvement Plan (IP)Corrective actions

Critical Infrastructure Focus

CISA recognizes 16 critical infrastructure sectors. Tabletop exercises should consider sector-specific threats and cross-sector dependencies:

⚡

Energy

Grid disruption, SCADA/ICS attacks, NERC CIP compliance

🏥

Healthcare

Patient data breaches, medical device security, HIPAA compliance

🏦

Financial Services

Payment system disruption, fraud, PCI DSS compliance

✈️

Transportation

Operational technology attacks, GPS spoofing, TSA requirements

💧

Water/Wastewater

SCADA attacks, treatment disruption, EPA compliance

📡

Communications

Network outages, data interception, FCC requirements

🏛️

Government

Classified data, citizen data breaches, FISMA compliance

🏭

Manufacturing

OT/IT convergence, IP theft, supply chain attacks

Cross-Sector Dependencies

CISA Evaluation Methodology

CISA provides standardized evaluation guides that assess performance against core capabilities:

Planning

• Are plans current and accessible?
• Do participants know their roles?
• Are procedures clear and actionable?

Operational Coordination

• Is communication timely and effective?
• Are decision-making authorities clear?
• Is coordination with external entities effective?

Intelligence & Information Sharing

• Is information shared appropriately?
• Are reporting procedures followed?
• Is threat intelligence integrated?

Operational Communications

• Are backup communications available?
• Can teams communicate during outages?
• Are communication protocols followed?

Public Information & Warning

• Are messages timely and accurate?
• Is coordination with PIO effective?
• Are stakeholders appropriately informed?

Cybersecurity

• Are cyber threats detected quickly?
• Are response actions appropriate?
• Is recovery timely and complete?

CISA Resources and Support

Free tools and assistance available from CISA

Exercise Starter Kits

Pre-built scenarios, templates, and planning guides for common threat scenarios

How to Access:

Download from cisa.gov/exercise-starter-kits

Includes:

Scenario templatesMSEL templatesSitMan templatesAAR templates

CISA Exercise Support

Free facilitation support and subject matter experts for exercises

How to Access:

Request via cisa.gov/request-exercise-support

Includes:

Exercise planning assistanceFacilitatorsEvaluatorsPost-exercise support

Cyber Exercise Playbook

Detailed guidance on planning and conducting cyber exercises

How to Access:

Download from cisa.gov/cyber-exercise-playbook

Includes:

Best practicesSample scenariosFacilitation tipsEvaluation guides

After-Action Report Templates

Standardized formats for documenting exercise results

How to Access:

Available at hseep.dhs.gov

Includes:

AAR formatImprovement plan formatCorrective action tracking

Reporting to CISA

Critical infrastructure organizations should consider sharing exercise findings with CISA to contribute to national resilience:

When Required

• If exercise reveals reportable incident
• If funded by CISA grants
• If CISA support was provided

When Encouraged

• Significant capability gaps identified
• Cross-sector coordination tested
• Novel attack vectors simulated

When Optional

• Internal exercises
• Routine testing
• Vendor-led exercises

CISA-Aligned Tabletop Exercises

Breakpoint scenarios follow CISA HSEEP methodology and include sector-specific scenarios for all 16 critical infrastructure sectors. Generate CISA-compliant After-Action Reports automatically.

Start Free Trial Government Solutions

CISA Tabletop Exercise Guide

Why CISA Guidance Matters

CISA Exercise Program Overview

The CISA Exercise Progression

Orientation Seminar

Characteristics:

Workshop

Characteristics:

Tabletop Exercise (TTX)

Characteristics:

Drill

Characteristics:

Full-Scale Exercise

Characteristics:

CISA Tabletop Exercise Planning Process

Establish Exercise Planning Team

Define Scope and Objectives

Develop Scenario

Develop Exercise Documentation

Coordinate Logistics

Conduct Exercise

Evaluate Performance

Develop After-Action Report

Critical Infrastructure Focus

Energy

Healthcare

Financial Services

Transportation

Water/Wastewater

Communications

Government

Manufacturing

Cross-Sector Dependencies

CISA Evaluation Methodology

Planning

Operational Coordination

Intelligence & Information Sharing

Operational Communications

Public Information & Warning

Cybersecurity

CISA Resources and Support

Exercise Starter Kits

CISA Exercise Support

Cyber Exercise Playbook

After-Action Report Templates

Reporting to CISA

When Required

When Encouraged

When Optional

CISA-Aligned Tabletop Exercises

Related Articles

Creating Effective Tabletop Exercise Scenarios

How to Test Your Incident Response Plan

NIST Incident Response Framework Guide

CISA Tabletop Exercise Guide

Why CISA Guidance Matters

CISA Exercise Program Overview

The CISA Exercise Progression

Orientation Seminar

Characteristics:

Workshop

Characteristics:

Tabletop Exercise (TTX)

Characteristics:

Drill

Characteristics:

Full-Scale Exercise

Characteristics:

CISA Tabletop Exercise Planning Process

Establish Exercise Planning Team

Define Scope and Objectives

Develop Scenario

Develop Exercise Documentation

Coordinate Logistics

Conduct Exercise

Evaluate Performance

Develop After-Action Report

Critical Infrastructure Focus

Energy

Healthcare