Organizations that work with US government agencies have to follow various NIST frameworks to secure sensitive data. NIST incident response is spelled out in NIST SP 800-61, which also informs incident response protocols in other NIST frameworks needed for DoD compliance.
Is your organization seeking NIST and DoD compliance? Schedule a consultation to learn more.
NIST Incident Response and DoD Compliance
The National Institute of Standards and Technology (NIST) publishes frameworks to guide the security practices of government agencies and their contractors. One critical component for military contractors in particular is incident response. To comprehend the Department of Defense’s (DoD) incident response requirements for compliance, you need to understand:
- The underlying framework that informs all NIST incident response protocols
- The incident response requirements for specific data classes the DoD deals with
- The DoD’s cybersecurity maturity requirements, including for incident response
These interlocking frameworks are complex. But working with a compliance advisor streamlines every part of the process, from initial planning to implementation and certification assessments.
Baseline Protections in NIST SP 800-61
One of the NIST’s most influential frameworks is NIST’s Computer Security Incident Handling Guide, better known as Special Publication (SP) 800-61. It was published in 2008 and updated most recently in 2012, so many of its references and suggestions are outdated. However, its premises and the structure it lays out still inform newer frameworks NIST has published.
NIST SP 800-61 is not necessarily required for governmental contracts, and specifically not for DoD partnerships. Instead, the best way to think about NIST SP 800-61 is as a foundation for incident response requirements in other government-mandated frameworks (more on these below).
At its core, NIST SP 800-61 establishes the need for a programmatic incident response strategy, beginning with organizational capacities. It also prescribes a general response plan for handling attacks as they occur, along with reporting recommendations for after an event is resolved.
Frameworks inspired by SP 800-61 take these suggestions further, specifying exact protocols.
Coordinating Incident Response Capabilities
The first segment of NIST SP 800-61 concerns the importance of incident response capabilities. It explains how organizations should conceptualize and staff incident response teams, along with general guidance on how the policies, plans, and procedures that they use should work.
With respect to personnel, NIST recommends three models for incident response teams:
- Central – A single team is responsible for all incident response across the entire organization, which is particularly useful in small to medium-sized businesses.
- Distributed – Several teams, all responding to a single authority, work separately on incident response in their respective, logically or physically segmented components.
- Coordinating – Multiple incident response teams operate collaboratively without exercising authority over one another or recognizing a single, shared authority.
NIST also provides guidance on internal, partially outsourced, and fully outsourced approaches to incident response team formation. It suggests balancing needs like 24/7 availability and multiple locations against direct and indirect cost factors, such as staff expertise and morale.
NIST SP 800-61 stresses the importance of having a strong incident response policy. It calls for statements of managerial commitment to incident response, clear roles and responsibilities, and a system for rating incident severity and prioritizing response tactics. NIST’s incident response plan guidance is similarly general, calling for clear descriptions of how teams will approach and communicate about incidents, along with metrics for gauging the capability’s effectiveness. The procedure guidance simply states that procedures should flow from defined policies and plans.
Active Incident Response Protocols
The one area where NIST SP 800-61 prescribes relatively specific practices is in active incident response. In the “Handling an Incident” section, it lays out four NIST incident response steps:
- Preparation – Organizations should ensure resources are in place for incident response teams to detect, react to, and communicate about attacks or other irregularities. Incident prevention (assessments, malware scanning, training) is also part of the preparation.
- Detection and Analysis – Organizations should also monitor for incidents regularly, scanning for known attack vectors based on institutional and industry-wide threat intelligence. Indicators should be logged and analyzed as soon as they are identified.
- Containment, Eradication, and Recovery – Organizations consult policies and plans to select a containment and eradication strategy. Impacted resources are quarantined until attacks are fully removed, at which point backups and recovery can begin.
- Post-incident Activities – After the incident has been resolved, organizations reflect on the process and generate intelligence based on the attacker(s), targets, and resolution strategies. This information should be retained for future analysis and threat prevention.
Critically, these steps are dynamic and cyclical. Each step informs the next and may also be impacted by subsequent steps. For example, information unveiled during containment feeds back into and impacts detection retroactively. This, in turn, may impact eradication and adjust specific processes used. And post-incident activities should always inform future preparation.
Sharing Information About Incidents
NIST incident response life cycle does not end with resolution. Instead, organizations need to share information gathered during and after the incident to help other government agencies and their contractors prevent similar circumstances. The core message of this segment in NIST SP 800-61 is that organizations should be sharing out information, with a few suggestions on how.
NIST recognizes that notice and information sharing regarding incidents often happens in an ad-hoc manner. Employees and other stakeholders might email or call their colleagues, or talk about incidents in ways that are not particularly intentional or guided. To avoid potential security issues, like divulging information about specific vulnerabilities attacked (or how attackers leveraged these weaknesses), NIST suggests using a systematic, automated approach.
The other concern raised is what information should be shared. In particular, Business Impact Information regarding the real effects of an attack on operations should be shared with response teams and coordinating teams. And Technical Information about the specific assets targeted, for what purposes, and any particular software or hardware that was compromised (and how), might need to be shared with other government agencies that use similar technology.
Although these suggestions are somewhat general, they form the backbone of many other frameworks’ specific requirements and guidance for incident response in particular contexts.
NIST Incident Response for DoD-critical Data
Organizations that contract with the US Military and other defense-adjacent agencies are likely to come into contact with Controlled Unclassified Information (CUI). CUI is governed by the Information Security Oversight Office (ISOO), and there are many different categories of data in the ISOO CUI registry. DoD contractors are responsible for safeguarding all forms of CUI.
NIST publishes a framework to help DoD contractors in particular protect this data: SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. It contains 110 Requirements spanning many elements of cybersecurity across 14 Requirement Families, including Incident Response. There are Basic and Derived controls for fundamental and advanced protection, and the supplementary framework SP 800-172, adds Enhanced Requirements. Below, we’ll take a close look at both texts’ incident response controls.
Basic IR Requirements in NIST SP 800-171
In every Requirement Family in SP 800-171, the Basic Requirements establish the foundation for safeguarding CUI. There are two Basic Requirements in the Incident Response family:
- 3.6.1 – Establish organizational incident handling capabilities that include preparation, selection, analysis, containment, recovery, and response activities (at minimum).
- 3.6.2 – Monitor for, track, document, and report on incidents as they occur to designated officials or authorities internal or external to the organization (i.e., government entities).
Both of these Requirements show the clear influence of SP 800-61. The capabilities in 3.6.1 include all of the plan and policy suggestions, and 3.6.2 mirrors the guidance on detection, along with retaining and sharing information about incidents. In practice, organizations familiar with SP 800-61 are well-positioned to meet and exceed SP 800-171’s Requirements.
Derived IR Requirement in NIST SP 800-171
Derived Requirements in NIST SP 800-171 build on the foundation of their Basic counterparts, adding complications and nuances to security practices. There is one for Incident Response:
- 3.6.3 – Test organizational incident response capabilities regularly.
This may seem like a straightforward Requirement, but organizations should strategize and implement their testing carefully. Further guidance on how to test security capabilities is provided in the Requirement Family “Security Assessment,” which stipulates procedures and target thresholds for accuracy and proficiency. And NIST’s guidance for 3.6.3 points toward another framework, NIST SP 800-84, for further information on security system testing.
Enhanced IR Requirements in NIST SP 800-172
As noted above, there is a framework that builds on NIST SP 800-171’s protections for CUI. It’s titled Enhanced Security Requirements for Protecting Controlled Unclassified Information (SP 800-172), and it adds Enhanced Requirements to the same scheme of Requirement Families.
In particular, it adds two Enhanced Requirements to Incident Response:
- 3.6.1e – Establish and maintain a security operation center (SOC) that operates on a schedule defined by the organization, pursuant to its incident response plan and policy.
- 3.6.2e – Establish an incident response team that can be deployed within a given timeframe, as defined by the organization’s incident response policy and plan.
As with the Basic Requirements above, the clear influence of SP 800-61 can be seen here, especially in 3.6.2e. The Discussion sections for both controls specifically reference SP 800-61 as a guide for establishing the incident response SOC and team. Other frameworks referenced include IR 8011-1, for automation; SP 800-86 and SP 800-101, for forensic applications; SP 800-150, for sharing information; and SP 800-184, for recovering from cyber events.
Given the complicated web of interlocking frameworks, organizations optimizing their NIST incident response for work with any government agency should seek out a NIST advisor.
CMMC Requirements for Incident Response
The NIST frameworks above, especially NIST SP 800-171 and 172, inform DoD compliance through the Cybersecurity Maturity Model Certification (CMMC) program. CMMC is overseen by the DoD’s Chief Information Officer (DCIO), alongside the Office of the Undersecretary of Defense (OUSD) for Intelligence and Security (I&S). The program was initially launched in 2020, with a major overhaul to compliance requirements coming with CMMC 2.0 in 2021. It exists to safeguard both CUI and federal Contract Information (FCI) processed by DoD contractors.
Organizations seeking DoD contracts must achieve a Level of compliance specified in their contract by implementing controls adapted from those frameworks and assessing their cybersecurity maturity. Here is what each Level requires, with a focus on incident response:
- Level 1 – Organizations implement 15 practices adapted from NIST SP 800-171 for Foundational security. These do not include any of the IR controls described above.
- Annual self-assessments and affirmations are required for Level 1 certification.
- Level 2 – Organizations implement 110 practices accounting for all of NIST SP 800-171 for Advanced security. This includes all three Basic and Derived IR controls above.
- Triennial third-party assessments from Cyber AB-approved firms are required for most organizations at Level 2. Some may conduct triennial self-assessments.
- Level 3 – Organizations implement an undetermined set of practices from NIST SP 800-172 for Expert security. This may or may not include the Enhanced IR controls.
- Triennial government-led assessments are required for Level 3 certification.
Organizations at Level 1 have no formal incident response practice requirements for CMMC. At Level 2, they must implement all NIST SP 800-171 requirements. And at Level 3, they will likely need to implement both NIST SP 800-172 IR requirements. But at all Levels, the best way to prepare for, achieve, and maintain certification is to work with a dedicated CMMC advisor.
Optimize Your NIST Incident Response Today
If your organization is seeking contracts with the US Military or other government agencies, you will likely need to implement some form of NIST cybersecurity, including incident response and other considerations. Understanding the baseline framework that informs all NIST incident response, along with the specific frameworks applicable to your industry, is critical.
RSI Security has helped many organizations implement NIST controls and prepare for compliance within the CMMC and other frameworks. Regardless of the regulation, we understand that the right way is the only way to prepare for and respond to incidents.
To learn more about CMMC and NIST incident response, contact RSI Security today!