Request a
Consultation
NIST SP 800-61 hero image

NIST SP 800-61, Rev. 2: Computer Security Incident Handling Guide

NIST SP 800-61 is designed to help organizations plan effective and efficient incident responses.

NIST SP 800-61 has step-by-step instructions organizations should follow to rapidly detect incidents, minimize loss, mitigate weaknesses, and restore IT services.  

In SP 800-61, NIST defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” NIST calls NIST 800-61 a recommendations document to emphasize how important it is for organizations to have a well-established incident response plan and well-trained teams to carry out the plan. It also includes guidelines for analyzing incident-related data, determining the best response to each incident, and continually monitoring for attacks. These guidelines are applicable to all hardware platforms, operation systems, protocols, and applications. 

The major phases of the incident response process are: preparation, detection/analysis, containment, eradication and recovery, and post-incident activity. 

NIST 800-61 lists these actions as crucial to establishing an incident response capability:

  • Developing an incident response policy and plan 
  • Designing procedures for incident handling and reporting 
  • Establishing guidelines for communicating with outside parties 
  • Choosing a team structure and staffing model 
  • Setting up relationships and lines of communication between the incident response team and internal (e.g., legal department) and external (e.g., law enforcement agencies) groups
  • Deciding the services the incident response team should provide 
  • Staffing and training the incident response team.

NIST SP 800-53 has a security control family, Incident Response (IR), that details best practices for handling and responding to incidents:

  • IR-1 Policy and Procedures
  • IR-2 Incident Response Training
  • IR-3 Incident Response Testing
  • IR-4 Incident Handling
  • IR-5 Incident Monitoring
  • IR-6 Incident Reporting
  • IR-7 Incident Response Assistance
  • IR-8 Incident Response Plan
  • IR-9 Information Spillage Response

Get Started with Cerberus Sentinel

Cerberus Sentinel’s team of experts has deep expertise and decades of experience working with federal agencies and public- and private-sector clients that adhere to NIST SP 800-61 guidance.