NIST SP 800-171 Rev 2 practice 3.6.1 requires organizations to establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. The capability must be operational — meaning tested, staffed, and executable — rather than merely documented in policy. Preparation encompasses having an incident response plan, trained personnel, and necessary tools in place before an incident occurs. Detection and analysis involve identifying potential incidents through monitoring and log review, then determining scope and impact. Containment, eradication, and recovery address limiting damage, eliminating the threat, and restoring affected systems to operational status. User response activities ensure that personnel who discover or are affected by an incident understand their reporting obligations and immediate actions.
Where it stops · what it isn't
- —This practice does not require a dedicated full-time incident response team; the capability may be fulfilled by personnel with IR responsibilities as a collateral duty, provided they are trained and equipped.
- —This practice does not mandate specific technical tooling such as SIEMs or EDR platforms, though such tools are commonly used to satisfy detection and analysis requirements.
- —This practice does not cover the reporting of incidents to external authorities such as DoD or CISA — that requirement is addressed separately under IR.L2-3.6.2.
- —This practice does not address testing of the incident-handling capability through exercises — that obligation falls under IR.L2-3.6.3.
- —This practice does not define minimum incident classification thresholds; organizations must establish their own tiered criteria as part of preparation.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/incident-response