Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization tests the incident response capability for the information system [FedRAMP Assignment: (M) at least annually; (H) at least every six (6) months, including functional at least annually] using [FedRAMP Assignment: see additional FedRAMP Requirements and Guidance] to determine the incident response effectiveness and documents the results.
Additional FedRAMP Requirements and Guidance:
(M): IR-3-2 Requirement: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.
(H): The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional Testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.
NIST 800-53 (r4) Supplemental Guidance:
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8.
References: None.
NIST 800-53 (r5) Discussion:
Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.
38North Guidance:
Meets Minimum Requirement:
The organization tests the incident response capability according to the FedRAMP requirements listed above and develops a test plan in accordance with NIST Special Publication 800-61 (as amended). The test plan is approved by the JAB (or Agency sponsor AO) prior to conducting the test.
Testing includes tabletop exercises, simulations, and/or checklists.
All incident response team members are involved in the incident response test to ensure that all personnel understand their roles and responsibilities
The test results are documented
Best Practice:
The incident response plan and/or incident response procedures are updated to incorporate any changes required by the results of the incident response test.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Incident response test plan and test results from within the last year (for Moderate systems), or within the last 6 months (for High systems)
Email communication or documentation showing the test plan was reviewed and approved by the JAB (or Agency sponsor AO) prior to conducting the test
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse