NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-2 — Incident Response Training

Provide incident response training to system users consistent with assigned roles and responsibilities: Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access; When required by system changes; and {{ insert: param, ir-02_odp.02 }} thereafter; and Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}.

CMMC Practice Mapping

IR.L2-3.6.1

NIST 800-171 Mapping

3.6.1

Related Controls

Supplemental Guidance

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Practitioner Notes

Your people need to know what to do when an incident happens — before it happens. This means formal training for anyone with a role in your incident response process, not just IT staff but also managers and communications personnel.

Example 1: Enroll your IR team in SANS SEC504 (Hacker Tools, Techniques, and Incident Handling) or equivalent training. For general staff, assign a yearly security awareness module through KnowBe4 or Proofpoint that covers how to report suspicious activity.

Example 2: Conduct a lunch-and-learn session quarterly where your IT security lead walks through a real-world breach case study. Document attendance in a training log spreadsheet that tracks who attended, the date, and topics covered. This log becomes your evidence for auditors.