NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-9(3)Post-spill Operations

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: {{ insert: param, ir-09.03_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business.

Practitioner Notes

After an information spillage, your team needs to keep working while contaminated systems are being cleaned. This enhancement requires documented procedures for continuing operations during spillage remediation.

Example 1: Maintain a list of backup systems or workarounds for each critical business function. If a workstation is taken offline for spillage cleanup, the affected employee should know which backup machine to use or how to access systems remotely through an alternate path.

Example 2: Document standard operating procedures for reassigning work during spillage incidents. For example, if a shared file server is quarantined, have a procedure to grant temporary access to an alternate server with clean copies of non-contaminated working files.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments