Incident Response Plan

Approach basics → §4.x

IRT structure, ticketing platform, and the primary detection sources that feed the team.

Incident response team (IRT) name and structure * What the team is called and how it's structured (e.g., '24/7 SOC + on-call IRT', 'Enterprise CSIRT', 'Combined SOC/IRT under the CISO').

Case-management / ticketing system of record * Tool that holds incident cases (e.g., ServiceNow Security Operations, Jira Service Management, TheHive, Demisto / Cortex XSOAR, IBM Resilient).

Primary detection source summary (one-line for §4 narrative) Brief phrase summarizing what generates incident candidates. Detail goes in the dedicated sub-section.

Threat-intelligence sources summary Brief phrase (e.g., 'CISA AIS, MS-ISAC, vendor threat feeds, internal honeypot data').

24/7 coverage — Select — 24/7 in-house SOC + IRT 24/7 contracted SOC + in-house IRT escalation Business hours + on-call rotation off-hours Business hours only (document risk acceptance)

Incident Classification & Severity → §4.x

How incidents are categorized and prioritized; containment SLAs by tier.

Severity tiers used

Critical / Tier 1 (active widespread compromise) High / Tier 2 (single-system compromise or data exposure) Medium / Tier 3 (suspicious activity warranting investigation) Low / Tier 4 (policy violation or anomaly) Informational (no immediate action required)

Incident categories (per CISA NCISS)

Web (defacement, web-app compromise) Attrition (DoS / DDoS) Improper Usage (policy violation) Malicious Code (malware infection) Unauthorized Access Loss / Theft of Equipment Information Spillage / Improper Disclosure Phishing / Social Engineering Supply Chain Compromise Other

Containment SLA per tier Target time from detection to containment, by severity tier (e.g., 'Critical: 1h, High: 4h, Medium: 24h, Low: best-effort within 5 business days').

Escalation thresholds When does an incident escalate to executive leadership / AO / external IR retainer? Define triggers (severity, scope, time elapsed).

Detection Sources → §4.x

What feeds candidate incidents into the queue.

Detection sources used

SIEM correlation rules (see AU plan) EDR / XDR (endpoint detection) NDR / NIDS (network detection) Antivirus / antimalware DLP (data loss prevention) Vulnerability scanner findings (RA-5) User reports (phishing, suspicious activity) Threat-intel matches (IOC sweeps) Honeypot / deception Cloud provider alerts (GuardDuty, Defender for Cloud) Application-layer detection (WAF, RASP) Insider-threat signals (UEBA)

Alert routing into the case queue How alerts from each source land in the case-management system. Auto-promotion rules, deduplication, severity scoring.

False-positive handling How recurring false positives are tuned out without losing visibility into real signals. Exception-rule register and review cadence.

User incident-reporting channel How users report suspected incidents (e.g., 'phishing@org email auto-feeds the queue; ServiceNow Security Incident form').

Handling Phases (NIST SP 800-61 r2) → §4.x

Preparation; Detection & Analysis; Containment, Eradication, Recovery; Post-Incident.

Preparation activities What's prepared in advance: jump-kit contents, known-good images, contact rosters, evidence-collection tooling.

Analysis workflow How an alert becomes an incident: triage steps, scoping, attribution, classification. Reference SOAR playbooks if used.

Containment strategy Standard containment options (network isolation, account disable, host quarantine). Approval thresholds for containment that disrupts operations.

Eradication and recovery How threats are removed and systems restored. References CM-2 baseline restoration and CP backup-restore procedures.

Post-incident review process Lessons-learned cadence (within N days of resolution), participation, and how findings drive plan revisions and POA&M items.

External Reporting & Notifications → §4.x

Who outside the organization must be notified, and on what timeline.

External notification recipients

CISA (Federal — US-CERT) FBI / law enforcement MS-ISAC (state, local, tribal, territorial) DoD CYBERCOM (DoD systems) Sector ISAC (FS-ISAC, H-ISAC, etc.) Affected customers / partners (per contract) Privacy regulators (GDPR / state breach laws) Public disclosure (per SEC / contractual) Insurer (cyber-liability policy)

Reporting timelines Mandatory timelines per recipient (e.g., 'CISA major incident: within 1 hour of declaration; PII breach: 72h GDPR / state-specific'). CISA reference: Federal Incident Notification Guidelines.

Default Traffic Light Protocol marking — Select — TLP:RED (named recipients only) TLP:AMBER (limited distribution) TLP:AMBER+STRICT (recipient organization only) TLP:GREEN (community-wide) TLP:CLEAR (public) Default sensitivity marking on outbound IR communications. Most internal-IR comms start TLP:AMBER+STRICT.

External-communications owner Role responsible for external messaging (typically Public Affairs / Comms in coordination with Legal and the IRT).

Training and Exercises → §4.x

Role-based training cadence and exercise programs (IR-2, IR-3).

IR-specific training cadence — Select — Annually for all IRT roles Annually + on role change Quarterly for IRT + annual refresh for general staff Continuous (e.g., monthly tabletop bites)

Training audiences

IRT analysts (Tier 1) IRT senior responders (Tier 2/3) On-call engineers (subject matter experts) Executive leadership (decision authority) All system users (general awareness)

Exercise types performed

Tabletop (discussion-based) Functional (technical drills) Full-scale (real systems, simulated incident) Red-team / penetration test Purple-team (red + blue collaborative)

Exercise cadence — Select — Annually (one full-scale) Semi-annually (mix of tabletop + functional) Quarterly tabletops + annual full-scale Monthly tabletops + quarterly functional + annual full-scale

After-action / lessons-learned process How findings from exercises and real incidents are tracked to closure (POA&M? Internal tracker?). Cadence for re-validating closure.

Information Spillage Response (IR-9) → §4.x

Process for handling unauthorized disclosure of classified or controlled information.

What constitutes spillage in this system Categories of information whose disclosure triggers spillage response (CUI / FOUO / classified / PII / PHI / etc.) and the threshold for declaration.

Spillage response steps Steps when spillage is suspected or confirmed: containment (isolate affected systems), notification chain, scope assessment, sanitization plan, retention of evidence.

Sanitization approach How affected systems / storage are sanitized per NIST SP 800-88 r1. Reference MP-6 if applicable.

Spillage response lead role Role responsible for coordinating spillage response (often the ISSO + Privacy Officer for PII).

IRT Scope and Membership → §2.x

Who's on the team and how they're contacted.

Approximate IRT size Order of magnitude (e.g., '~10 analysts across 3 tiers').

Area of responsibility (AOR) What systems and populations the team covers (single system vs enterprise).

Primary IRT contact method How users / on-call engineers reach the IRT (e.g., 'PagerDuty service ir-soc; phishing@org for low-priority reports').

External IR retainer (if any) Third-party IR firm on retainer for surge support (e.g., Mandiant, CrowdStrike Services, Unit 42).

Incident Response Metrics & KPIs → §6.x

Metrics tracked to demonstrate IR control effectiveness over time.

Tracked metrics

Add item

Suggested: + Mean Time to Detect (MTTD) + Mean Time to Acknowledge (MTTA) + Mean Time to Contain (MTTC) + Mean Time to Recover (MTTR) + False-positive rate (% of alerts triaged out as FP) + Number of incidents per quarter (by severity) + Exercise findings closed within target + % playbooks current within review cadence + Recurrence rate (same root cause) + External-notification timeliness (% within SLA)

Threat Intelligence Consumption → §6.x

Sources, ingestion, and IOC sweeping cadence.

Threat-intel feeds subscribed

CISA AIS (Automated Indicator Sharing) MS-ISAC Sector ISAC (FS-ISAC, H-ISAC, etc.) Commercial feed (Mandiant / Recorded Future / CrowdStrike / etc.) Vendor product feeds (built into EDR / SIEM) Open-source feeds (AlienVault OTX, abuse.ch) Internal honeypot / deception Dark-web monitoring service

IOC ingestion mechanism How indicators flow from feeds into detection (TIP, MISP, direct SIEM watchlist, EDR threat-feed import).

Retroactive IOC sweep cadence How often historical logs are searched for newly-published indicators (e.g., 'Daily for high-priority feeds; weekly comprehensive sweep').

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the IR control implementations are summarized (e.g., 'SSP §13.6').

POA&M ID prefix for IR findings Convention for IR-related POA&M items (e.g., 'POAM-IR-').

AU plan cross-reference How audit records and SIEM detections from the AU plan feed incident detection. SIEM index, log sources, retention.

SI plan cross-reference How system-monitoring (SI-4), malware protection (SI-3), and integrity verification (SI-7) generate IR signals.

CP plan cross-reference How recovery from incidents coordinates with the contingency plan's restoration procedures.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying IR continuous-monitoring metrics to the broader ConMon plan.