// Level 3 · Controls

RESPOND

NIST CSF 2.0 RESPOND function — categories and subcategories.

RS.ANMedium

Incident Analysis

Investigations are conducted to ensure effective response and support forensics and recovery activities

RS.AN-01Medium

RS.AN-01

Notifications from detection systems are investigated

RS.AN-02Medium

RS.AN-02

The impact of the incident is understood

RS.AN-03Medium

RS.AN-03

Analysis is performed to establish what has taken place during an incident and the root cause of the incident

RS.AN-04Medium

RS.AN-04

Incidents are categorized consistent with response plans

RS.AN-05Medium

Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

RS.AN-06Medium

RS.AN-06

Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved

RS.AN-07Medium

RS.AN-07

Incident data and metadata are collected, and their integrity and provenance are preserved

RS.AN-08Medium

RS.AN-08

An incident's magnitude is estimated and validated

RS.COMedium

Incident Response Reporting and Communication

Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies

RS.CO-01Medium

RS.CO-01

Personnel know their roles and order of operations when a response is needed

RS.CO-02Medium

RS.CO-02

Internal and external stakeholders are notified of incidents

RS.CO-03Medium

RS.CO-03

Information is shared with designated internal and external stakeholders

RS.CO-04Medium

RS.CO-04

Coordination with stakeholders occurs consistent with response plans

RS.CO-05Medium

RS.CO-05

Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness

RS.IMMedium

Improvements

RS.IM-01Medium

RS.IM-01

Response plans incorporate lessons learned

RS.IM-02Medium

RS.IM-02

Response strategies are updated

RS.MAMedium

Incident Management

Responses to detected cybersecurity incidents are managed

RS.MA-01Medium

RS.MA-01

The incident response plan is executed in coordination with relevant third parties once an incident is declared

RS.MA-02Medium

RS.MA-02

Incident reports are triaged and validated

RS.MA-03Medium

RS.MA-03

Incidents are categorized and prioritized

RS.MA-04Medium

RS.MA-04

Incidents are escalated or elevated as needed

RS.MA-05Medium

RS.MA-05

The criteria for initiating incident recovery are applied

RS.MIMedium

Incident Mitigation

Activities are performed to prevent expansion of an event and mitigate its effects

RS.MI-01Medium

RS.MI-01

Incidents are contained

RS.MI-02Medium

RS.MI-02

Incidents are eradicated

RS.MI-03Medium

RS.MI-03

Newly identified vulnerabilities are mitigated or documented as accepted risks

RS.RPMedium

Response Planning

RS.RP-01Medium

RS.RP-01

Response plan is executed during or after an incident