NIST 800-53 REV 5 • INCIDENT RESPONSE
IR-2(3) — Breach
Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The incident response training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Incident response training includes tabletop exercises that simulate a breach. See [IR-2(1)](#ir-2.1).
Practitioner Notes
If your organization handles personal data, your IR team needs specific training on breach notification requirements — who to notify, how fast, and what to include. This is not just a technical issue; it is a legal and regulatory one.
Example 1: Train your IR team on your state's breach notification laws and any federal requirements (HIPAA, DFARS 7012). Create a quick-reference card listing notification timelines: 72 hours for GDPR, 60 days for HIPAA, 72 hours for DFARS cyber incidents to DIBCNET.
Example 2: Conduct an annual tabletop exercise specifically focused on a data breach scenario involving PII. Walk through the entire notification process: determining scope, contacting legal counsel, drafting notification letters, and reporting to regulators. Document the exercise and lessons learned.