Incident Response (IR)¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] incident response policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and
• c. Review and update the current incident response:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

External Link for Additional Information: myctrl.tools

• a. Provide incident response training to system users consistent with assigned roles and responsibilities:
  • 1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access;
  • 2. When required by system changes; and
  • 3. [Assignment: organization-defined frequency] thereafter; and
• b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

External Link for Additional Information: myctrl.tools

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

External Link for Additional Information: myctrl.tools

Provide an incident response training environment using [Assignment: organization-defined automated mechanisms].

External Link for Additional Information: myctrl.tools

Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].

External Link for Additional Information: myctrl.tools

Test the incident response capability using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Coordinate incident response testing with organizational elements responsible for related plans.

External Link for Additional Information: myctrl.tools

Use qualitative and quantitative data from testing to:

• (a) Determine the effectiveness of incident response processes;
• (b) Continuously improve incident response processes; and
• (c) Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;
• b. Coordinate incident handling activities with contingency planning activities;
• c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
• d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

External Link for Additional Information: myctrl.tools

Support the incident handling process using [Assignment: organization-defined automated mechanisms].

External Link for Additional Information: myctrl.tools

Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration].

External Link for Additional Information: myctrl.tools

Identify [Assignment: organization-defined classes of incidents] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [Assignment: organization-defined actions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

External Link for Additional Information: myctrl.tools

Implement a configurable capability to automatically disable the system if [Assignment: organization-defined security violations] are detected.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement an incident handling capability for incidents involving insider threats.

External Link for Additional Information: myctrl.tools

Coordinate an incident handling capability for insider threats that includes the following organizational entities [Assignment: organization-defined entities].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Coordinate with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ [Assignment: organization-defined dynamic response capabilities] to respond to incidents.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period].

External Link for Additional Information: myctrl.tools

Analyze malicious code and/or other residual artifacts remaining in the system after the incident.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Analyze anomalous or suspected adversarial behavior in or related to [Assignment: organization-defined environments or resources].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish and maintain a security operations center.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Manage public relations associated with an incident; and
• (b) Employ measures to repair the reputation of the organization.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Track and document incidents.

External Link for Additional Information: myctrl.tools

Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms].

External Link for Additional Information: myctrl.tools

• a. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
• b. Report incident information to [Assignment: organization-defined authorities].

External Link for Additional Information: myctrl.tools

Report incidents using [Assignment: organization-defined automated mechanisms].

External Link for Additional Information: myctrl.tools

Report system vulnerabilities associated with reported incidents to [Assignment: organization-defined personnel or roles].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

External Link for Additional Information: myctrl.tools

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

External Link for Additional Information: myctrl.tools

Increase the availability of incident response information and support using [Assignment: organization-defined automated mechanisms].

External Link for Additional Information: myctrl.tools

• (a) Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and
• (b) Identify organizational incident response team members to the external providers.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop an incident response plan that:
  • 1. Provides the organization with a roadmap for implementing its incident response capability;
  • 2. Describes the structure and organization of the incident response capability;
  • 3. Provides a high-level approach for how the incident response capability fits into the overall organization;
  • 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
  • 5. Defines reportable incidents;
  • 6. Provides metrics for measuring the incident response capability within the organization;
  • 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability;
  • 8. Addresses the sharing of incident information;
  • 9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and
  • 10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles].
• b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel];
• c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
• d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
• e. Protect the incident response plan from unauthorized disclosure and modification.

External Link for Additional Information: myctrl.tools

Include the following in the Incident Response Plan for breaches involving personally identifiable information:

• (a) A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;
• (b) An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and
• (c) Identification of applicable privacy requirements.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Respond to information spills by:

• a. Assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills;
• b. Identifying the specific information involved in the system contamination;
• c. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
• d. Isolating the contaminated system or system component;
• e. Eradicating the information from the contaminated system or component;
• f. Identifying other systems or system components that may have been subsequently contaminated; and
• g. Performing the following additional actions: [Assignment: organization-defined actions].

External Link for Additional Information: myctrl.tools

Provide information spillage response training [Assignment: organization-defined frequency].

External Link for Additional Information: myctrl.tools

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: [Assignment: organization-defined procedures].

External Link for Additional Information: myctrl.tools

Employ the following controls for personnel exposed to information not within assigned access authorizations: [Assignment: organization-defined controls].

External Link for Additional Information: myctrl.tools