Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
(a) Within [Assignment: organization-defined time period; FedRAMP Assignment: (H) ten (10) days] of assuming an incident response role or responsibility;
(b) When required by information system changes; and
(c) [FedRAMP Assignment: (L)(M)(H) at least annually] thereafter.
NIST 800-53 (r4) Supplemental Guidance:
Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8.
References: None.
NIST 800-53 (r5) Discussion:
Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3. Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
38North Guidance:
Meets Minimum Requirement:
For a low or moderate system, the organization has defined the time period before which a user assuming an incident response role or responsibility must be trained
Incident response training is provided according to the frequencies defined above. Examples of incident response training include, but are not limited to, reviewing the incident response policy/plan/procedures; participating in the incident response testing exercises; completing incident response training modules.
There are procedures and training for users on how to report suspected security incidents.
There are procedures for retraining, as required by an information system change.
Best Practice:
CSP's should require that customers also provide incident response training to their employees with incident response responsibilities, as they pertain to reporting incidents to back to the CSP.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Documentation detailing the incident response training curriculum
Incident response training materials
Incident response training records
List of individuals with an incident response role or responsibility, along with the date that they assumed IR responsibilities.
Records showing these individuals were trained within the required timeframe of assuming IR responsibilities
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse