NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-8(1)Breaches

Include the following in the Incident Response Plan for breaches involving personally identifiable information: A process to determine if notice to individuals or other organizations, including oversight organizations, is needed; An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and Identification of applicable privacy requirements.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, including notice to individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements.

Practitioner Notes

If your organization handles personally identifiable information, your IR plan needs a specific section on data breaches — including how you determine whether notification is required and how you carry it out.

Example 1: Add a breach notification annex to your IR plan that includes decision trees for determining notification requirements under applicable laws (state breach notification, HIPAA, GDPR). Include template notification letters for individuals and regulators.

Example 2: Document your breach assessment process: who determines scope, how you identify affected individuals, what your notification timeline is, and who approves external communications. Include contact information for your state attorney general's office, HHS (if HIPAA applies), and your cyber insurance carrier's breach coach.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments