NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-4(9)Dynamic Response Capability

Employ {{ insert: param, ir-04.09_odp }} to respond to incidents.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The dynamic response capability addresses the timely deployment of new or replacement organizational capabilities in response to incidents. This includes capabilities implemented at the mission and business process level and at the system level.

Practitioner Notes

This enhancement requires your organization to have the ability to change its defensive posture dynamically in response to incidents — deploying new tools, changing configurations, or activating additional capabilities on demand.

Example 1: Maintain a library of pre-tested firewall rule sets and GPO configurations that can be rapidly deployed during an active incident. For example, have a ready-to-deploy GPO that disables USB storage across the domain, which you can link during a data exfiltration incident.

Example 2: Use cloud-based security tools like Microsoft Defender for Endpoint or CrowdStrike that allow you to push new detection rules, increase logging levels, or enable enhanced monitoring across all endpoints within minutes through their cloud console during an active threat.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments