NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-7(2)Coordination with External Providers

Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and Identify organizational incident response team members to the external providers.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

External providers of a system protection capability include the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. It may be beneficial to have agreements in place with external providers to clarify the roles and responsibilities of each party before an incident occurs.

Practitioner Notes

Your incident response capability should have a working relationship with external security service providers — like your ISP, MSSP, antivirus vendor, or law enforcement — so you can get help quickly when needed.

Example 1: Maintain a contact directory of external IR resources: your MSSP, FBI Cyber Division field office, CISA regional office, and your cyber insurance provider's breach response hotline. Include account numbers and contract references so you can activate support quickly.

Example 2: Pre-negotiate an incident response retainer with a digital forensics firm (like CrowdStrike Services, Mandiant, or Kroll). Having a retainer means you do not have to negotiate contracts during a crisis — you just make a phone call and they start working.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments