Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
(a) Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
(b) Coordinates incident handling activities with contingency planning activities; and
(c) Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.
Additional FedRAMP Requirements and Guidance:
The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.
NIST 800-53 (r4) Supplemental Guidance:
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7.
References: None.
NIST 800-53 (r5) Discussion:
Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.
38North Guidance:
Meets Minimum Requirement:
The organization has developed a process for handling incidents that includes preparation, detection and analysis, containment, eradication, and recovery. This process is documented in the Incident Response Plan or IR procedures and details the steps taken during each phase and the responsible parties involved.
The organization conducts IR testing in coordination with CP exercises, such as using a security incident as the scenario for initiating contingency activities during a CP test. The IR testing includes members of leadership/management and contingency planning personnel.
The organization documents any lessons learned or recommendations to improve the incident response process after a security incident occurs and incorporates them by making any necessary updates to IR procedures, IR training, and/or IR tests/exercises.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Copy of the Incident Response Plan or IR Procedures which details the incident handling process
Copy of IR test results showing contingency planning personnel were involved and/or copy of CP test exercises showing Incident Response Team members were involved
Revision history for IR procedures, IR training, and/or IR test plan to show that any lessons learned from previous security incidents have been incorporated
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse