Developing a Cyber Security Annex for Incident Response

AWR366 – 6.00 Hours


EC AWR366 65 Register

This schedule is subject to change without notice. If you have not received confirmation of the class prior to the class start, please contact the division at or [email protected] to get the latest schedule.

Course Description

Cyber-attacks occur more frequently and have become increasingly sophisticated. Cybersecurity events now have the potential to significantly disrupt the business operations of government and critical infrastructure services. Public and private sectors, in the United States, are at increasing and continual risk of surprise attacks from nation-state and non-state actors. (Burgess, 2018)

The National Response Framework describes how preparedness can be achieved by developing an incident annex for each hazard. Incident annexes describe coordinating structures used to deliver core capabilities and support response missions unique to a specific type of incident. Incident annexes describe specialized response teams, resources, roles, responsibilities, and other scenario-specific considerations. 

At the end of this course, participants should possess the fundamentals needed to design and develop a cyber annex for states, locals, tribes, and/or territories (SLTTs). It addresses what the annex is, how it is used, who should participate in the design, implementation, and execution. 

NCPC logo    UTSA CIAS logo

This course is offered by the National Cybersecurity Preparedness Consortium (NCPC) and was developed by the NCPC partner The University of Texas at San Antonio Center for Infrastructure Assurance and Security (UTSA/CIAS).  The course is funded through the DHS/FEMA Homeland Security National Training Program and is offered at no cost.


Must be a U.S. Citizen or Permanent Resident or receive approval from TEEX/DHS-FEMA prior to the start of the class. Please contact us for more information on the approval process.

Course Completion Requirements

Students must receive a minimum score of 70% on the Post-Test to receive their certificate.

Attendance Requirements

To meet attendance requirements, participants must review each training module and complete all required course assignments, activities, quizzes, and/or end of course exam.

Computer with an Internet connection and up-to-date web browser

Upon successful completion, you will be able to:

  • Describe the purpose and importance of a cyber annex and will be able to summarize the scope and purpose of a cyber annex
  • Identify various roles and responsibilities included in the development of a cyber annex.
  • Identify various types of cyber incidents
  • Recognize how severity and impact influence escalation processes
  • Recognize the components of an incident response plan and the functions they serve in the cyber annex
  • Describe the components needed to establish an incident response team
  • Summarize aspects of information sharing
  • Determine activities needed for training and exercises
  • Identify a variety of resources available for cyber annex development

Suggested Audience

The target audience for this course should include personnel assigned to work in the jurisdiction’s emergency operations center, policy makers, elected and/or appointed officials, emergency responders, IT personnel with responsibilities for identifying and responding to cyber events for SLTT government, private industry, and critical infrastructure representatives.

Government Programs

Contact Information

Business & Cyber Solutions
Phone: (979) 431-4837
Email: [email protected]