What is AFI17-203 CYBER INCIDENT HANDLING?
AFI17-203 is the Air Force Instruction that provides guidelines and procedures for handling cyber incidents within the Air Force.

Who is responsible for cyber incident handling according to AFI17-203?
The Air Force Cyberspace Security and Control Center (ACSCC) is responsible for coordinating and managing cyber incident handling efforts.

What qualifies as a cyber incident under AFI17-203?
A cyber incident is any attempted or actual unauthorized access, use, disclosure, disruption, modification, or destruction of information systems or information.

How should cyber incidents be reported?
All cyber incidents must be reported to the Air Force Incident Management Cell (AFIMC) using the Cyber Security and Control System (CSCS).

What is the timeframe for reporting a cyber incident?
Cyber incidents must be reported within two hours of detection or suspicion, and all reporting entities are required to provide an initial report within 24 hours.

Is AFI17-203 applicable to all Air Force units and personnel?
Yes, AFI17-203 applies to all Air Force units, personnel, and organizations, including contractors and foreign allies operating Air Force information systems.

What are the key steps in handling a cyber incident according to AFI17-203?
The key steps in handling a cyber incident include preparation, detection and analysis, containment, eradication and recovery, post-incident activity, and reporting and documentation.

Can a commander decide not to report a cyber incident?
No, commanders are required to report all cyber incidents, even if initially uncertain of the impact or extent.

What is the purpose of the post-incident activity phase?
The post-incident activity phase focuses on analyzing the root cause of the incident, identifying lessons learned, and implementing corrective measures to improve future cyber incident handling.