The planning was given added urgency by a cyber-attack last month on the defence contractor, Lockheed Martin.
A new report from the Pentagon is due out in a matter of weeks.
"A response to a cyber-incident or attack on the US would not necessarily be a cyber-response. All appropriate options would be on the table," Pentagon spokesman Col Dave Lapan told reporters on Tuesday.
Col Lapan confirmed the Pentagon was drawing up a cyber defence strategy, which would be ready in two to three weeks.
Cyber-attacks from foreign nations that threaten widespread US civilian casualties, like cutting off power supplies or shutting down emergency-responder networks, could be treated as an act of aggression under the new policy.
But the plan does not mention how the US may respond to cyber-attackers, such as terrorists, who are not acting for a nation state.
'All necessary means' The Pentagon's planning follows an international strategy statement on cyber-security, issued by the White House on 16 May.
AnalysisAmerican strategists are wrestling with the big, new questions of cyber war. What constitutes cyber attack? What laws, definitions and principles should governments use to formulate their response?
How do you tell the difference between a virtual annoyance perpetrated by criminals and hackers and an act of war perpetrated by a nation state? This question is perhaps the biggest difficulty facing those who are charged with writing the doctrine of cyber war.
It's often referred to as the "attribution problem". When an American entity - a government department, the military or a corporation - becomes aware they are under cyber-attack when their networks start malfunctioning, how do they know who is doing the attacking?
Savvy Computer Network Defence (CND) specialists may be able to track the attack to a specific country, even to a specific internet address. But who is operating the computer terminal? An operative of a rival state acting under orders? Or a hacker acting on her own initiative? Or something in between?
"Whose fingers are on the keyboard?" ask the CND specialists. When you don't know who your attacker is, finding a legal and ethical response becomes very difficult.
The Wall Street Journal quoted a military official as saying: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."
White House officials said consideration of a military response to a cyber-attack would constitute a "last resort", after other efforts to deter an attack had failed, the New York Times newspaper reported.
Sophistication of hackers One of the difficulties strategists are grappling with is how to track down reliably the cyber-attackers who deliberately obscure the origin of their incursions.
The sophistication of hackers and frequency of the attacks came back into focus after an attack on arms-maker Lockheed Martin on 21 May.
Lockheed said the "tenacious" cyber-attack on its network was part of a pattern of attacks on it from around the world.
The worst cyber-attack against the US military occurred in 2008, when malicious software on a flash drive commandeered computers at US Central Command.
The US defence department estimates that more than 100 foreign intelligence organizations have attempted to break into American networks.
The US is also accused of using cyber warfare against other nations. In 2010 Iran accused the US of helping to develop Stuxnet, a software worm aimed at controlling systems in Iranian nuclear plants.