NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-4(7)Insider Threats — Intra-organization Coordination

Coordinate an incident handling capability for insider threats that includes the following organizational entities {{ insert: param, ir-04.07_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Incident handling for insider threat incidents (e.g., preparation, detection and analysis, containment, eradication, and recovery) requires coordination among many organizational entities, including mission or business owners, system owners, human resources offices, procurement offices, personnel offices, physical security offices, senior agency information security officer, operations personnel, risk executive (function), senior agency official for privacy, and legal counsel. In addition, organizations may require external support from federal, state, and local law enforcement agencies.

Practitioner Notes

Insider threat incidents cross organizational boundaries — security, HR, legal, management, and sometimes law enforcement all need to coordinate. This enhancement formalizes that coordination.

Example 1: Establish an Insider Threat Working Group that includes representatives from IT security, HR, legal, and department management. Meet quarterly to review indicators and monthly during active investigations. Document the group's charter and communication protocols.

Example 2: Create a secure Teams channel or encrypted email distribution list for insider threat communications. Use this channel to share sensitive investigation updates. Ensure all participants have signed NDAs and understand need-to-know restrictions for investigation details.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments