a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] incident response policy that:(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; andc. Review and update the current incident response:1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
a. Provide incident response training to system users consistent with assigned roles and responsibilities:1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access;2. When required by system changes; and3. [Assignment: organization-defined frequency] thereafter; andb. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.
Provide an incident response training environment using [Assignment: organization-defined automated mechanisms].
Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.
Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].
Test the incident response capability using [Assignment: organization-defined automated mechanisms].
Coordinate incident response testing with organizational elements responsible for related plans.
Use qualitative and quantitative data from testing to:(a) Determine the effectiveness of incident response processes;(b) Continuously improve incident response processes; and(c) Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.
a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinate incident handling activities with contingency planning activities;c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; andd. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
Support the incident handling process using [Assignment: organization-defined automated mechanisms].
Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration].
Identify [Assignment: organization-defined classes of incidents] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [Assignment: organization-defined actions to take in response to classes of incidents].
Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
Implement a configurable capability to automatically disable the system if [Assignment: organization-defined security violations] are detected.
Implement an incident handling capability for incidents involving insider threats.
Coordinate an incident handling capability for insider threats that includes the following organizational entities [Assignment: organization-defined entities].
Coordinate with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Employ [Assignment: organization-defined dynamic response capabilities] to respond to incidents.
Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.
Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period].
Analyze malicious code and/or other residual artifacts remaining in the system after the incident.
Analyze anomalous or suspected adversarial behavior in or related to [Assignment: organization-defined environments or resources].
Establish and maintain a security operations center.
(a) Manage public relations associated with an incident; and(b) Employ measures to repair the reputation of the organization.
Track and document incidents.
Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms].
a. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; andb. Report incident information to [Assignment: organization-defined authorities].
Report incidents using [Assignment: organization-defined automated mechanisms].
Report system vulnerabilities associated with reported incidents to [Assignment: organization-defined personnel or roles].
Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.
Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.
Increase the availability of incident response information and support using [Assignment: organization-defined automated mechanisms].
(a) Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and(b) Identify organizational incident response team members to the external providers.
a. Develop an incident response plan that:1. Provides the organization with a roadmap for implementing its incident response capability;2. Describes the structure and organization of the incident response capability;3. Provides a high-level approach for how the incident response capability fits into the overall organization;4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;5. Defines reportable incidents;6. Provides metrics for measuring the incident response capability within the organization;7. Defines the resources and management support needed to effectively maintain and mature an incident response capability;8. Addresses the sharing of incident information;9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles].b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; ande. Protect the incident response plan from unauthorized disclosure and modification.
Include the following in the Incident Response Plan for breaches involving personally identifiable information:(a) A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;(b) An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and(c) Identification of applicable privacy requirements.
Respond to information spills by:a. Assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills;b. Identifying the specific information involved in the system contamination;c. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;d. Isolating the contaminated system or system component;e. Eradicating the information from the contaminated system or component;f. Identifying other systems or system components that may have been subsequently contaminated; andg. Performing the following additional actions: [Assignment: organization-defined actions].
[Withdrawn: Incorporated into IR-9.]
Provide information spillage response training [Assignment: organization-defined frequency].
Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: [Assignment: organization-defined procedures].
Employ the following controls for personnel exposed to information not within assigned access authorizations: [Assignment: organization-defined controls].
[Withdrawn: Incorporated into None.]