NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-4(5)Automatic Disabling of System

Implement a configurable capability to automatically disable the system if {{ insert: param, ir-04.05_odp }} are detected.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations consider whether the capability to automatically disable the system conflicts with continuity of operations requirements specified as part of [CP-2](#cp-2) or [IR-4(3)](#ir-4.3) . Security violations include cyber-attacks that have compromised the integrity of the system or exfiltrated organizational information and serious errors in software programs that could adversely impact organizational missions or functions or jeopardize the safety of individuals.

Practitioner Notes

In extreme cases, a system may need to shut itself down automatically to prevent further damage. This enhancement calls for configurable triggers that can disable a system when certain security violations are detected.

Example 1: Configure your endpoint detection tool (CrowdStrike, Microsoft Defender for Endpoint, or SentinelOne) to automatically isolate a machine from the network when it detects ransomware encryption behavior or a known exploit chain.

Example 2: Set up a GPO or Intune compliance policy that marks a device as non-compliant when critical security settings are tampered with. Pair this with a Conditional Access policy in Azure AD that blocks non-compliant devices from accessing corporate resources until the issue is resolved.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments