BRACKETOLOGY | FEDRAMP

IR-4: INCIDENT RESPONSE

  • FedRAMP Baseline Membership IR-4:
  • LOW
  • MODERATE
  • HIGH
FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
    • b. Coordinates incident handling activities with contingency planning activities; and
    • c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

  • a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
  • b. Coordinates incident handling activities with contingency planning activities; and
  • c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

FedRAMP REQUIREMENT:

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

The organization:

  • a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
  • b. Coordinates incident handling activities with contingency planning activities; and
  • c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

FedRAMP REQUIREMENT:

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

The organization:

  • a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
  • b. Coordinates incident handling activities with contingency planning activities; and
  • c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

FedRAMP REQUIREMENT:

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

SUPPLEMENTAL GUIDANCE

Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).

CONTROL ENHANCEMENTS

IR-4 (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES
  • FedRAMP Baseline Membership IR-4 (1):
  • MODERATE
  • HIGH

The organization employs automated mechanisms to support the incident handling process.

Supplemental Guidance:

Automated mechanisms supporting incident handling processes include, for example, online incident management systems.

IR-4 (2) INCIDENT HANDLING | DYNAMIC RECONFIGURATION
  • FedRAMP Baseline Membership IR-4 (2):
  • HIGH

The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The organization includes dynamic reconfiguration of all network, data storage, and computing devices as part of the incident response capability.

The organization includes dynamic reconfiguration of all network, data storage, and computing devices as part of the incident response capability.


Supplemental Guidance:

Dynamic reconfiguration includes, for example, changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways. Organizations perform dynamic reconfiguration of information systems, for example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include time frames for achieving the reconfiguration of information systems in the definition of the reconfiguration capability, considering the potential need for rapid response in order to effectively address sophisticated cyber threats.

IR-4 (3) INCIDENT HANDLING | CONTINUITY OF OPERATIONS
  • FedRAMP Baseline Membership IR-4 (3):
  • HIGH

The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.


Supplemental Guidance:

Classes of incidents include, for example, malfunctions due to design/implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Appropriate incident response actions include, for example, graceful degradation, information system shutdown, fall back to manual mode/alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved solely for when systems are under attack.

IR-4 (4) INCIDENT HANDLING | INFORMATION CORRELATION
  • FedRAMP Baseline Membership IR-4 (4):
  • HIGH

The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

Supplemental Guidance:

Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations.

RELATED CONTROLS: IR-4 (2)

IR-4 (5) INCIDENT HANDLING | AUTOMATIC DISABLING OF INFORMATION SYSTEM

The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected.

Supplemental Guidance: NONE

IR-4 (6) INCIDENT HANDLING | INSIDER THREATS - SPECIFIC CAPABILITIES
  • FedRAMP Baseline Membership IR-4 (6):
  • HIGH

The organization implements incident handling capability for insider threats.

Supplemental Guidance:

While many organizations address insider threat incidents as an inherent part of their organizational incident response capability, this control enhancement provides additional emphasis on this type of threat and the need for specific incident handling capabilities (as defined within organizations) to provide appropriate and timely responses.

IR-4 (7) INCIDENT HANDLING | INSIDER THREATS - INTRA-ORGANIZATION COORDINATION

The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization].

Supplemental Guidance:

Incident handling for insider threat incidents (including preparation, detection and analysis, containment, eradication, and recovery) requires close coordination among a variety of organizational components or elements to be effective. These components or elements include, for example, mission/business owners, information system owners, human resources offices, procurement offices, personnel/physical security offices, operations personnel, and risk executive (function). In addition, organizations may require external support from federal, state, and local law enforcement agencies.

IR-4 (8) INCIDENT HANDLING | CORRELATION WITH EXTERNAL ORGANIZATIONS
  • FedRAMP Baseline Membership IR-4 (8):
  • HIGH

The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

The organization coordinates with external organizations including consumer incident responders and network defenders and the appropriate consumer incident response team (CIRT)/ Computer Emergency Response Team (CERT) (such as US-CERT, DoD CERT, IC CERT) to correlate and share [organization-defined incident information to achieve a cross-organization perspective on incident awareness and more effective incident responses.


Supplemental Guidance:

The coordination of incident information with external organizations including, for example, mission/business partners, military/coalition partners, customers, and multitiered developers, can provide significant benefits. Cross-organizational coordination with respect to incident handling can serve as an important risk management capability. This capability allows organizations to leverage critical information from a variety of sources to effectively respond to information security-related incidents potentially affecting the organization�s operations, assets, and individuals.

IR-4 (9) INCIDENT HANDLING | DYNAMIC RESPONSE CAPABILITY

The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents.

Supplemental Guidance:

This control enhancement addresses the deployment of replacement or new capabilities in a timely manner in response to security incidents (e.g., adversary actions during hostile cyber attacks). This includes capabilities implemented at the mission/business process level (e.g., activating alternative mission/business processes) and at the information system level.

RELATED CONTROLS: IR-4 (9)

IR-4 (10) INCIDENT HANDLING | SUPPLY CHAIN COORDINATION

The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.

Supplemental Guidance:

Organizations involved in supply chain activities include, for example, system/product developers, integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include, for example, compromises/breaches involving information system components, information technology products, development processes or personnel, and distribution processes or warehousing facilities.

REFERENCES:

  • Executive Order 13587
  • NIST Special Publication 800-61