Navigate

IR-8

IR-8: Incident Response Plan

a: Develop an incident response plan that:
- 1: Provides the organization with a roadmap for implementing its incident response capability;
- 2: Describes the structure and organization of the incident response capability;
- 3: Provides a high-level approach for how the incident response capability fits into the overall organization;
- 4: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
- 5: Defines reportable incidents;
- 6: Provides metrics for measuring the incident response capability within the organization;
- 7: Defines the resources and management support needed to effectively maintain and mature an incident response capability;
- 8: Addresses the sharing of incident information;
- 9: Is reviewed and approved by [personnel or roles that review and approve the incident response plan is/are identified;] [the frequency at which to review and approve the incident response plan is defined;] ; and
- 10: Explicitly designates responsibility for incident response to [entities, personnel, or roles with designated responsibility for incident response are defined;].

b: Distribute copies of the incident response plan to [incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;];

c: Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

d: Communicate incident response plan changes to [one of ] ; and

e: Protect the incident response plan from unauthorized disclosure and modification.

Supplemental

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
CMMC, DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate), Privacy Control Baseline (CNSSI 1253)

CSF Categories
DE.AE-3, DE.AE-5, ID.SC-5, PR.IP-7, PR.IP-8, PR.IP-9, RC.IM-1, RC.IM-2, RC.RP-1, RS.AN-4, RS.CO-1, RS.CO-2, RS.CO-3, RS.CO-4, RS.IM-1, RS.IM-2, RS.RP-1

Related Controls

The controls below (if any) were marked by NIST as being related to IR-8.

Control	Description
AC-2	a: Define and document the types of accounts allowed and specifically prohibited for use within the system; b: Assign account managers; c: Require [prerequisites and criteria for group and role membership are defined;] for group and role membership; d: Specify: 1: Authorized users of the system; 2: Group and role membership; and 3: Access authorizations (i.e., privileges) and [attributes (as required) for each account are defined;] for each account; e: Require approvals by [personnel or roles required to approve requests to create accounts is/are defined;] for requests to create accounts; f: Create, enable, modify, disable, and remove accounts in accordance with [policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;]; g: Monitor the use of accounts; h: Notify account managers and [personnel or roles to be notified is/are defined;] within: 1: [time period within which to notify account managers when accounts are no longer required is defined;] when accounts are no longer required; 2: [time period within which to notify account managers when users are terminated or transferred is defined; ] when users are terminated or transferred; and 3: [time period within which to notify account managers when system usage or the need to know changes for an individual is defined;] when system usage or need-to-know changes for an individual; i: Authorize access to the system based on: 1: A valid access authorization; 2: Intended system usage; and 3: [attributes needed to authorize system access (as required) are defined;]; j: Review accounts for compliance with account management requirements [the frequency of account review is defined;]; k: Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l: Align account management processes with personnel termination and transfer processes.
CP-2	a: Develop a contingency plan for the system that: 1: Identifies essential mission and business functions and associated contingency requirements; 2: Provides recovery objectives, restoration priorities, and metrics; 3: Addresses contingency roles, responsibilities, assigned individuals with contact information; 4: Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5: Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6: Addresses the sharing of contingency information; and 7: Is reviewed and approved by [one of ]; b: Distribute copies of the contingency plan to [one of ]; c: Coordinate contingency planning activities with incident handling activities; d: Review the contingency plan for the system [frequency of contingency plan review is defined;]; e: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f: Communicate contingency plan changes to [one of ]; g: Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h: Protect the contingency plan from unauthorized disclosure and modification.
CP-4	a: Test the contingency plan for the system [frequency of testing the contingency plan for the system is defined;] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [one of ]. b: Review the contingency plan test results; and c: Initiate corrective actions, if needed.
IR-4	a: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b: Coordinate incident handling activities with contingency planning activities; c: Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d: Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
IR-7	Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.
IR-9	Respond to information spills by: a: Assigning [personnel or roles assigned the responsibility for responding to information spills is/are defined;] with responsibility for responding to information spills; b: Identifying the specific information involved in the system contamination; c: Alerting [personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined;] of the information spill using a method of communication not associated with the spill; d: Isolating the contaminated system or system component; e: Eradicating the information from the contaminated system or component; f: Identifying other systems or system components that may have been subsequently contaminated; and g: Performing the following additional actions: [actions to be performed are defined;].
PE-6	a: Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b: Review physical access logs [the frequency at which to review physical access logs is defined;] and upon occurrence of [events or potential indication of events requiring physical access logs to be reviewed are defined;] ; and c: Coordinate results of reviews and investigations with the organizational incident response capability.
PL-2	a: Develop security and privacy plans for the system that: 1: Are consistent with the organization’s enterprise architecture; 2: Explicitly define the constituent system components; 3: Describe the operational context of the system in terms of mission and business processes; 4: Identify the individuals that fulfill system roles and responsibilities; 5: Identify the information types processed, stored, and transmitted by the system; 6: Provide the security categorization of the system, including supporting rationale; 7: Describe any specific threats to the system that are of concern to the organization; 8: Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10: Provide an overview of the security and privacy requirements for the system; 11: Identify any relevant control baselines or overlays, if applicable; 12: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13: Include risk determinations for security and privacy architecture and design decisions; 14: Include security- and privacy-related activities affecting the system that require planning and coordination with [individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;] ; and 15: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b: Distribute copies of the plans and communicate subsequent changes to the plans to [personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;]; c: Review the plans [frequency to review system security and privacy plans is defined;]; d: Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e: Protect the plans from unauthorized disclosure and modification.
SA-15	a: Require the developer of the system, system component, or system service to follow a documented development process that: 1: Explicitly addresses security and privacy requirements; 2: Identifies the standards and tools used in the development process; 3: Documents the specific tool options and tool configurations used in the development process; and 4: Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b: Review the development process, standards, tools, tool options, and tool configurations [frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [one of ].
SI-12	Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.
SR-8	Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [one or more of "notification of supply chain compromises"/"{{ insert: param, sr-08_odp.02 }} "].

Enhancements

The controls below (if any) add on to the requirements of IR-8.

Control	Description
IR-8(1)	Include the following in the Incident Response Plan for breaches involving personally identifiable information: (a): A process to determine if notice to individuals or other organizations, including oversight organizations, is needed; (b): An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and (c): Identification of applicable privacy requirements.

Control

Description

IR-8(1)

Include the following in the Incident Response Plan for breaches involving personally identifiable information:

(a): A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;

(b): An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and

(c): Identification of applicable privacy requirements.

Related CCIs

The CCIs below are tied to IR-8.

CCI	Definition
CCI-000844	Develop an incident response plan that is reviewed and approved by organization-defined personnel or roles on an organization-defined frequency.
CCI-000845	Defines incident response personnel (identified by name and/or by role) and organizational elements to whom copies of the incident response plan are distributed.
CCI-000846	Distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.
CCI-000849	Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing.
CCI-000850	Communicate incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.
CCI-002794	Develop an incident response plan.
CCI-002795	Develop an incident response plan that provides the organization with a roadmap for implementing its incident response capability.
CCI-002796	Develop an incident response plan that describes the structure and organization of the incident response capability.
CCI-002797	Develop an incident response plan that provides a high-level approach for how the incident response capability fits into the overall organization.
CCI-002798	Develop an incident response plan that meets the unique requirements of the organization, which relate to mission, size, structure, and functions.
CCI-002799	Develop an incident response plan that defines reportable incidents.
CCI-002800	Develop an incident response plan that provides metrics for measuring the incident response capability within the organization.
CCI-002801	Develop an incident response plan that defines the resources and management support needed to effectively maintain and mature an incident response capability.
CCI-002802	Defines personnel or roles to review and approve the incident response plan.
CCI-002803	Defines incident response personnel (identified by name and/or by role) and organizational elements to whom incident response plan changes will be communicated.
CCI-002804	Protect the incident response plan from unauthorized disclosure and modification.
CCI-004157	Develop an incident response plan that addresses the sharing of incident information.
CCI-004158	Defines the frequency organization-defined personnel or roles will review and approve the incident response plan.
CCI-004159	Develop an incident response plan that explicitly designates responsibility for incident response to organization-defined entities, personnel, or roles.