NIST 800-53 REV 5 • INCIDENT RESPONSE
IR-4(3) — Continuity of Operations
Identify {{ insert: param, ir-04.03_odp.01 }} and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: {{ insert: param, ir-04.03_odp.02 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Classes of incidents include malfunctions due to design or implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Incident response actions include orderly system degradation, system shutdown, fall back to manual mode or activation of alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved for when systems are under attack. Organizations consider whether continuity of operations requirements during an incident conflict with the capability to automatically disable the system as specified as part of [IR-4(5)](#ir-4.5).
Practitioner Notes
Some incidents could shut down critical business operations. This enhancement requires you to identify which incidents could threaten mission continuity and have specific response actions ready to keep operations running.
Example 1: Identify your top five business-critical systems (email, ERP, file shares, customer portal, etc.) and create specific IR playbooks for each. Include failover procedures — for example, if your primary email server goes down due to an incident, document how to switch to a backup Exchange Online instance.
Example 2: Maintain a business impact analysis (BIA) document that maps each system to its recovery time objective (RTO). When an incident affects a critical system, your IR team uses the BIA to prioritize recovery. Store this document alongside your IR plan in SharePoint for quick access.