Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
(a) Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
(b) Distributes copies of the incident response plan to [FedRAMP Assignment: (L)(M)(H) see additional FedRAMP Requirements and Guidance];
(c) Reviews the incident response plan [FedRAMP Assignment: (L)(M)(H) at least annually];
(d) Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
(e) Communicates incident response plan changes to [FedRAMP Assignment: (L)(M)(H) see additional FedRAMP Requirements and Guidance]; and
(f) Protects the incident response plan from unauthorized disclosure and modification.
Additional FedRAMP Requirements and Guidance:
(L)(M)(H) IR-8 (b) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.
(L)(M)(H) IR-8 (e) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.
NIST 800-53 (r4) Supplemental Guidance:
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5.
References: NIST Special Publication 800-61.
NIST 800-53 (r5) Discussion:
It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.
38North Guidance:
Meets Minimum Requirement:
The organization has defined who will review and approve the Incident Response Plan (IRP).
The organization has defined who will receive copies of the IRP, and IRP updates when they occur, to include designated FedRAMP personnel.
An IRP has been developed and documented that contains all elements required in part a.
The IRP contains roles and responsibilities that are involved in the incident handling process who should be receiving a copy of the plan as well as be notified if there are any changes to the plan.
The IRP is reviewed at least annually and updated if needed. The updates address any issues detailed in after action reports or incident response test results.
The IRP is stored in a secured repository where only authorized personnel are able to access it and/or modify it as needed.
There are procedures or checkpoints in place to ensure that the IRP is updated when system/organizational changes or problems are encountered during plan implementation, execution, or testing.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Copy of the Incident Response Plan, which contains a revision history or change table
Procedures for and evidence of communication method used to notify individuals of changes to the plan, such as emails, automatic notifications provided by the repository, etc.
Configurations showing the access controls in place for the repository where the plan is stored.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse