Respond NIST Cybersecurity Framework 2.0

NIST Cybersecurity Framework: Respond Security Controls

Take action regarding a detected cybersecurity incident.

14 controls

4 critical

57h est. effort

4 categories

Incident Analysis

rs-an-1

Investigate contributing factors to confirmed incidents

Understanding how an incident happened is just as important as stopping it. Investigations that surf...

high 8h

rs-an-2

The impact of the incident is understood

A declared incident may look small at first and reveal itself to be much larger under investigation....

high 3h

rs-an-3

Forensics are performed

Forensic analysis is how you answer the questions that matter most after an incident: how did the at...

high 6h

rs-an-6

Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved

An incident investigation is itself a chain of events that needs to be documented. Without records o...

medium 3h

rs-an-7

Incident data and metadata are collected, and their integrity and provenance are preserved

Incident data, the raw evidence gathered during an investigation, is the factual foundation of every...

medium 3h

Incident Response Reporting and Communication

rs-co-2

Internal and external stakeholders are notified of incidents in a timely manner

Incident communication is an obligation, not an option. Internally, stakeholders need to know what i...

high 4h

rs-co-3

Information is shared with designated internal and external stakeholders

During an incident, information asymmetry creates risk. When security knows the full scope of an att...

medium 3h

Incident Management

rs-ma-1

Execute the incident response plan in coordination with relevant third parties

When an incident is declared, the response plan must be activated immediately and in sync with any e...

critical 8h

rs-ma-2

Triage and validate incident reports

Not every alert or report is a real incident. Triage is the process of quickly determining whether a...

critical 3h

rs-ma-3

Categorize and prioritize incidents

Confirmed incidents are not all equal. A phishing email caught before a click is very different from...

high 2h

rs-ma-4

Escalate or elevate incidents as needed

Some incidents exceed the authority, expertise, or resources of the initial responders. Escalation e...

high 2h

rs-ma-5

Apply the criteria for initiating incident recovery

Moving to recovery too early can reintroduce threats before they are fully eradicated, while waiting...

high 2h

Incident Mitigation

rs-mi-1

Incidents are contained

Containment is the act of stopping an incident from spreading: isolating compromised systems, blocki...

critical 4h

rs-mi-2

Incidents are eradicated

Containment stops the bleeding; eradication removes the infection. Eradication is the process of eli...

critical 6h