NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-8Incident Response Plan

Develop an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability within the organization; Defines the resources and management support needed to effectively maintain and mature an incident response capability; Addresses the sharing of incident information; Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}. Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }}; Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and Protect the incident response plan from unauthorized disclosure and modification.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

Practitioner Notes

The incident response plan is the master document that ties everything together. It defines roles, responsibilities, communication procedures, and the step-by-step process for handling incidents from detection through recovery.

Example 1: Write your IR plan using NIST SP 800-61 Rev 2 as a template. Include sections for: purpose and scope, roles and responsibilities (name specific people), communication procedures (internal and external), incident categories and severity levels, and step-by-step procedures for each phase.

Example 2: Store the IR plan in a location accessible even if your primary systems are down — a printed copy in a fire safe, a copy on a secured USB drive, or in a cloud-based document store separate from your main infrastructure. Review and update it at least annually and after every significant incident.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments