NIST 800-53 REV 5 • INCIDENT RESPONSE
IR-4(2) — Dynamic Reconfiguration
Include the following types of dynamic reconfiguration for {{ insert: param, ir-04.02_odp.02 }} as part of the incident response capability: {{ insert: param, ir-04.02_odp.01 }}.
Supplemental Guidance
Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters, and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers, and isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats.
Practitioner Notes
When an incident is detected, your systems should be able to reconfigure themselves dynamically — blocking an IP, isolating a network segment, or disabling a compromised account — as part of the response, not after a manual review.
Example 1: Configure your firewall (Palo Alto, Fortinet, or pfSense) to accept automated block rules from your SIEM or SOAR. When a confirmed malicious IP is identified, the SOAR playbook pushes a block rule to the firewall in real time.
Example 2: Use Microsoft Defender for Endpoint to automatically isolate a compromised machine from the network while keeping its connection to the Defender cloud for continued investigation. Set up Conditional Access policies in Azure AD that can dynamically block a user's access when their risk level changes to High.