NIST SP 800-61
What is NIST SP 800-61?
NIST SP 800-61The NIST Computer Security Incident Handling Guide, describing the four-phase lifecycle used by incident response teams in government and industry.
NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide, is published by the United States National Institute of Standards and Technology and is the most widely cited reference for incident response programs. It defines a four-phase incident-response lifecycle: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. The guide gives detailed recommendations for building an incident-response team, classifying incidents, sharing information with internal and external parties, and continuously improving through lessons learned. It is heavily referenced by federal agencies and required by frameworks such as NIST CSF, FedRAMP, and the Cybersecurity Maturity Model Certification (CMMC).
● Examples
- 01
A SOC builds runbooks aligned to the four NIST SP 800-61 phases, with KPI dashboards for each.
- 02
A federal agency maps its incident handling SOP to SP 800-61 categories for FISMA reporting.
● Frequently asked questions
What is NIST SP 800-61?
The NIST Computer Security Incident Handling Guide, describing the four-phase lifecycle used by incident response teams in government and industry. It belongs to the Compliance & Frameworks category of cybersecurity.
What does NIST SP 800-61 mean?
The NIST Computer Security Incident Handling Guide, describing the four-phase lifecycle used by incident response teams in government and industry.
How does NIST SP 800-61 work?
NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide, is published by the United States National Institute of Standards and Technology and is the most widely cited reference for incident response programs. It defines a four-phase incident-response lifecycle: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. The guide gives detailed recommendations for building an incident-response team, classifying incidents, sharing information with internal and external parties, and continuously improving through lessons learned. It is heavily referenced by federal agencies and required by frameworks such as NIST CSF, FedRAMP, and the Cybersecurity Maturity Model Certification (CMMC).
How do you defend against NIST SP 800-61?
Defences for NIST SP 800-61 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for NIST SP 800-61?
Common alternative names include: SP 800-61, Computer Security Incident Handling Guide.
● Related terms
- forensics-ir№ 524
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
- compliance№ 735
NIST SP 800-30
A NIST Special Publication that provides guidance for conducting risk assessments of information systems and the missions they support.
- compliance№ 736
NIST SP 800-37
The NIST Risk Management Framework, defining a seven-step process for managing security and privacy risk across the system lifecycle.
- compliance№ 176
CISM
An ISACA management-level certification for information security managers covering governance, risk, program development, and incident management across four domains.
- compliance№ 1063
SOC 2
An AICPA attestation standard in which an independent auditor evaluates a service organization's controls against Trust Services Criteria.