Incident Response¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] incident response policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and
• c. Review and update the current incident response:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

• a. Provide incident response training to system users consistent with assigned roles and responsibilities:
  • 1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access;
  • 2. When required by system changes; and
  • 3. [Assignment: organization-defined frequency] thereafter; and
• b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

Provide an incident response training environment using [Assignment: organization-defined automated mechanisms].

Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].

Coordinate incident response testing with organizational elements responsible for related plans.

• a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;
• b. Coordinate incident handling activities with contingency planning activities;
• c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
• d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

Support the incident handling process using [Assignment: organization-defined automated mechanisms].

Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration].

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

Implement an incident handling capability for incidents involving insider threats.

Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period].

Track and document incidents.

Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms].

• a. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
• b. Report incident information to [Assignment: organization-defined authorities].

Report incidents using [Assignment: organization-defined automated mechanisms].

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

Increase the availability of incident response information and support using [Assignment: organization-defined automated mechanisms].

• a. Develop an incident response plan that:
  • 1. Provides the organization with a roadmap for implementing its incident response capability;
  • 2. Describes the structure and organization of the incident response capability;
  • 3. Provides a high-level approach for how the incident response capability fits into the overall organization;
  • 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
  • 5. Defines reportable incidents;
  • 6. Provides metrics for measuring the incident response capability within the organization;
  • 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability;
  • 8. Addresses the sharing of incident information;
  • 9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and
  • 10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles].
• b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel];
• c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
• d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
• e. Protect the incident response plan from unauthorized disclosure and modification.

Respond to information spills by:

• a. Assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills;
• b. Identifying the specific information involved in the system contamination;
• c. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
• d. Isolating the contaminated system or system component;
• e. Eradicating the information from the contaminated system or component;
• f. Identifying other systems or system components that may have been subsequently contaminated; and
• g. Performing the following additional actions: [Assignment: organization-defined actions].

Provide information spillage response training [Assignment: organization-defined frequency].

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: [Assignment: organization-defined procedures].

Employ the following controls for personnel exposed to information not within assigned access authorizations: [Assignment: organization-defined controls].