NIST 800-171 • LEVEL 2 • INCIDENT RESPONSE
3.6.1 — Incident Handling
Incident-related information can be obtained from a variety of sources, including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. An effective incident handling capability involves coordination among many organizational entities, including mission and business owners, system owners, human resources offices, physical and personnel security offices, legal departments, operations personnel, and procurement offices.
Assessment Objectives
- an incident-handling capability that is consistent with the incident response plan is implemented.
- the incident handling capability includes preparation.
- the incident handling capability includes detection and analysis.
- the incident handling capability includes containment.
- the incident handling capability includes eradication.
- the incident handling capability includes recovery.
Practitioner Notes
You need a real plan for what happens when something goes wrong — a malware infection, a phishing compromise, a data breach. This is not a plan that sits in a drawer. It is a living capability that covers preparation, detection, containment, eradication, and recovery. Everyone involved needs to know their role before an incident happens.
Example 1: Create an Incident Response Plan (IRP) document that defines roles (Incident Commander, technical lead, communications lead), contact lists, escalation procedures, and playbooks for common scenarios (ransomware, phishing, insider threat). Store it in a shared location like SharePoint under a dedicated "Security" site. Include a section that maps to NIST SP 800-61 phases: Preparation, Detection & Analysis, Containment, Eradication & Recovery, and Post-Incident Activity.
Example 2: Configure automated detection in Microsoft Defender for Endpoint. In the Microsoft 365 Defender portal > Settings > Endpoints > Advanced Features, enable automated investigation and response. Set up alert notifications under Settings > Email Notifications so your incident response team gets immediate alerts for high-severity detections. This gives you the "detection and analysis" leg of your incident handling capability running 24/7.