BRACKETOLOGY | FEDRAMP

IR-3: INCIDENT RESPONSE TESTING

FedRAMP Baseline Membership IR-3:
MODERATE
HIGH

How Do I Use This Page for FedRAMP Cloud Security

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.

FedRAMP Cloud Security

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The organization tests the incident response capability for the information system at least annually using organization-defined tests (See additional FedRAMP Requirements and Guidance) to determine the incident response effectiveness and documents the results.

FedRAMP REQUIREMENT:

The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to the test commencing.

The organization tests the incident response capability for the information system at least every six (6) months using organization-defined tests (See additional FedRAMP Requirements and Guidance) to determine the incident response effectiveness and documents the results.

FedRAMP REQUIREMENT:

SUPPLEMENTAL GUIDANCE

Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.

RELATED CONTROLS: IR-3 (1)

AT-2 — AWARENESS AND TRAINING SECURITY | AWARENESS TRAINING

CONTROL ENHANCEMENTS

IR-3 (1) INCIDENT RESPONSE TESTING | AUTOMATED TESTING

The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.

Supplemental Guidance:

Organizations use automated mechanisms to more thoroughly and effectively test incident response capabilities, for example: (i) by providing more complete coverage of incident response issues; (ii) by selecting more realistic test scenarios and test environments; and (iii) by stressing the response capability.

RELATED CONTROLS: IR-3 (1)

AT-2 — AWARENESS AND TRAINING SECURITY | AWARENESS TRAINING

IR-3 (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS

FedRAMP Baseline Membership IR-3 (2):
MODERATE
HIGH

The organization coordinates incident response testing with organizational elements responsible for related plans.