Following last year’s release of an initial public draft for public comment, the U.S. National Institute of Standards and Technology (NIST) published this week finalized Special Publication (SP) 800-61 Revision 3. The document seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. NIST SP 800-61 Rev. 3 focuses on improving cybersecurity risk management for all of the NIST CSF 2.0 Functions to better support an organization’s incident response capabilities.
The scope of Rev. 3 differs significantly from previous versions. Due to the details of how to perform incident response activities changing so often and varying so much across technologies, environments, and organizations, it is no longer feasible to capture and maintain that information in a single static publication.
Doing so can help organizations prepare for incident responses, reduce the number and impact of incidents that occur, and improve the efficiency and effectiveness of their incident detection, response, and recovery activities. The latest revision supersedes SP 800-61 Rev. 2, Computer Security Incident Handling Guide.
Titled ‘Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile,’ NIST SP 800-61 Rev. 3 detailed the new incident response life cycle model. All six Functions have vital roles in incident response. Govern, Identify, and Protect help organizations prevent some incidents, prepare to handle incidents that do occur, reduce the impact of those incidents, and improve incident response and cybersecurity risk management practices based on lessons learned. Detect, Respond, and Recover helps organizations discover, manage, prioritize, contain, eradicate, and recover from cybersecurity incidents, as well as perform incident reporting, notification, and other incident-related communications.
Organizations should use the incident response life cycle framework or model that suits them best. The model in NIST SP 800-61 Rev. 3 is based on CSF 2.0 to take advantage of the wealth of resources available for CSF 2.0 and aid organizations that are already using the CSF.
The bottom level reflects that the preparation activities of Govern, Identify, and Protect are not part of the incident response itself. Rather, they are much broader cybersecurity risk management activities that also support incident response. Additionally, the need for continuous improvement is indicated as the middle level with the Improvement Category within the Identify Function and the dashed green lines. Lessons learned from performing all activities in all Functions are fed into Improvement, and those lessons are analyzed, prioritized, and used to inform all of the Functions.
The appropriate incident response life cycle framework or model for an organization depends on many factors; for example, larger and more technology-dependent organizations are likely to benefit more from using a framework or model emphasizing continuous improvement than other organizations would. Regardless of the incident response life cycle framework or model used, every organization should consider incident response throughout their cybersecurity risk management activities.
Organizations should have policies that govern their cybersecurity incident response. While a policy is highly individualized to the organization, most incident response policies include various elements, including a statement of management commitment, purpose and objectives of the policy, and scope of the policy, covering to whom and what it applies and under what circumstances.
It must also involve definition of events, cybersecurity incidents, investigations, and related terms, roles, responsibilities, and authorities, such as which roles have the authority to confiscate, disconnect, or shut down technology assets, guidelines for prioritizing incidents, estimating their severity, initiating recovery processes, maintaining or restoring operations, and other key actions, and performance measures.
Furthermore, NIST SP 800-61 Rev. 3 mentioned that processes and procedures should be based on the incident response policy and plan. Documented procedures should explain how technical processes and other operating procedures should be performed. Procedures can be tested or exercised periodically to verify their accuracy and can be used to help train new personnel. While it is impossible to have detailed procedures for every possible situation, organizations should consider documenting procedures for responding to the most common types of incidents and threats.
Organizations should also develop and maintain procedures for particularly important processes that may be urgently needed during emergencies, such as redeploying the organization’s primary authentication platform.
The NIST SP 800-61 Rev. 3 defines NIST’s CSF 2.0 Community Profile for cyber incident risk management. It uses the CSF Core as the basis for highlighting and prioritizing cybersecurity outcomes that are important for incident response, making recommendations, and providing other supporting information for certain CSF outcomes within the context of incident response. The Community Profile is split into two tables – one covering Preparation (Govern, Identify, and Protect) and Lessons Learned (Identify-Improvement), while the second deals with Incident Response (Detect, Respond, and Recover).
These recommendations, considerations, and notes supplement what the CSF 2.0 already provides through its documents and online resources. Moreover, the Community Profile is intended for use by most organizations, regardless of sector, size, or other factors.
NIST also encouraged readers of SP 800-61 Rev. 3 to utilize other NIST resources to access additional information on implementing the recommendations and considerations in the publication. These resources include the selected examples listed for Preparation Resources and Life Cycle Resources, the NIST CSF 2.0 publication and supplemental resources, and mappings to additional sources of information on implementing incident response considerations available through the NIST Cybersecurity and Privacy Reference Tool (CPRT).
Last month, the NIST published a status report on the fourth round of its post-quantum cryptography standardization process that aims to establish cryptographic standards that can withstand the potential threats posed by quantum computers, which are expected to have the capability to break many of the cryptographic systems currently in use. The agency also detailed a new algorithm for post-quantum encryption called HQC, which will serve as a backup for ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism, the main algorithm for general encryption.
