1. Home
  2. FedRAMP
  3. IR-8

BRACKETOLOGY | FEDRAMP

IR-8: INCIDENT RESPONSE

  • FedRAMP Baseline Membership IR-8:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Develops an incident response plan that:
      1. Provides the organization with a roadmap for implementing its incident response capability;
      2. Describes the structure and organization of the incident response capability;
      3. Provides a high-level approach for how the incident response capability fits into the overall organization;
      4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
      5. Defines reportable incidents;
      6. Provides metrics for measuring the incident response capability within the organization;
      7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
      8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
    • b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
    • c. Reviews the incident response plan [Assignment: organization-defined frequency];
    • d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
    • e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
    • f. Protects the incident response plan from unauthorized disclosure and modification.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

  • a. Develops an incident response plan that:
    1. Provides the organization with a roadmap for implementing its incident response capability;
    2. Describes the structure and organization of the incident response capability;
    3. Provides a high-level approach for how the incident response capability fits into the overall organization;
    4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
    5. Defines reportable incidents;
    6. Provides metrics for measuring the incident response capability within the organization;
    7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
    8. Is reviewed and approved by organization-defined personnel or roles;
  • b. Distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements (See additional FedRAMP Requirements and Guidance);
  • c. Reviews the incident response plan at least annually. ;
  • d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
  • e. Communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements (See additional FedRAMP Requirements and Guidance); and
  • f. Protects the incident response plan from unauthorized disclosure and modification.

FedRAMP REQUIREMENT:

IR-8b. & 8e.: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

The organization:

  • a. Develops an incident response plan that:
    1. Provides the organization with a roadmap for implementing its incident response capability;
    2. Describes the structure and organization of the incident response capability;
    3. Provides a high-level approach for how the incident response capability fits into the overall organization;
    4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
    5. Defines reportable incidents;
    6. Provides metrics for measuring the incident response capability within the organization;
    7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
    8. Is reviewed and approved by organization-defined personnel or roles;
  • b. Distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements (See additional FedRAMP Requirements and Guidance);
  • c. Reviews the incident response plan at least annually. ;
  • d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
  • e. Communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements (See additional FedRAMP Requirements and Guidance); and
  • f. Protects the incident response plan from unauthorized disclosure and modification.

FedRAMP REQUIREMENT:

IR-8b. & 8e.: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

The organization:

  • a. Develops an incident response plan that:
    1. Provides the organization with a roadmap for implementing its incident response capability;
    2. Describes the structure and organization of the incident response capability;
    3. Provides a high-level approach for how the incident response capability fits into the overall organization;
    4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
    5. Defines reportable incidents;
    6. Provides metrics for measuring the incident response capability within the organization;
    7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
    8. Is reviewed and approved by organization-defined personnel or roles;
  • b. Distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements (See additional FedRAMP Requirements and Guidance);
  • c. Reviews the incident response plan at least annually. ;
  • d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
  • e. Communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements (See additional FedRAMP Requirements and Guidance); and
  • f. Protects the incident response plan from unauthorized disclosure and modification.

FedRAMP REQUIREMENT:

IR-8b. & 8e.: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

SUPPLEMENTAL GUIDANCE

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.

CONTROL ENHANCEMENTS

NO CONTROL ENHANCEMENTS

REFERENCES:

  • NIST Special Publication 800-61