Incident Response | CSRC | CSRC - NIST Computer Security Resource Center | CSRC (.gov)

Information Technology Laboratory COMPUTER SECURITY RESOURCE CENTER PROJECTS Incident Response Share to Facebook Share to X Share to LinkedIn Share ia Email Overview In April 2025, NIST finalized Special Publication (SP) 800-61 Revision 3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile. NIST SP 800-61 Revision 3 seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for incident responses, reduce the number and impact of incidents that occur, and improve the efficiency and effectiveness of their incident detection, response, and recovery activities. This revision supersedes SP 800-61 Revision 2, Computer Security Incident Handling Guide. The new incident response life cycle model used in this publication is shown in the figure. The bottom level reflects that the preparation activities of Govern, Identify, and Protect are not part of the incident response itself. Rather, they are much broader cybersecurity risk management activities that also support incident response. Incident response is shown in the top level of the figure: Detect, Respond, and Recover. Additionally, the need for continuous improvement is indicated as the middle level with the Improvement Category within the Identify Function and the dashed green lines. Lessons learned from performing all activities in all Functions are fed into Improvement, and those lessons are analyzed, prioritized, and used to inform all of the Functions.   The scope of Revision 3 differs significantly from previous versions. Because the details of how to perform incident response activities change so often and vary so much across technologies, environments, and organizations, it is no longer feasible to capture and maintain that information in a single static publication. Instead, this version focuses on improving cybersecurity risk management for all of the NIST CSF 2.0 Functions to better support an organization's incident response capabilities.  NIST encourages readers of SP 800-61 Revision 3 to utilize other NIST resources to access additional information on implementing the recommendations and considerations in the publication. These resources include the selected examples listed for Preparation Resources and Life Cycle Resources, the NIST CSF 2.0 publication and supplemental resources, and mappings to additional sources of information on implementing incident response considerations available through the NIST Cybersecurity and Privacy Reference Tool (CPRT).  Your comments and suggestions for the Incident Response project are always welcome, including feedback on the listed resources and suggestions for additional vendor-neutral resources to include. Contact us at 800-61-comments@nist.gov. Back to Top PROJECT LINKS Overview News & Updates Publications ADDITIONAL PAGES Preparation Resources Life Cycle Resources CONTACTS Send Email to the NIST Incident Response Project Team: 800-61-comments@nist.gov Alex Nelson - NIST Sanjay (Jay) Rekhi - NIST Karen Kent - Trusted Cyber Annex GROUP Security Components and Mechanisms TOPICS Security and Privacy: incident response, threats, vulnerability management Applications: cybersecurity framework, forensics RELATED PROJECTS Cybersecurity Framework Log Management Mobile Forensics National Vulnerability Database Ransomware Protection and Response Created February 29, 2024, Updated November 20, 2025