NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-15(10)Incident Response Plan

Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The incident response plan provided by developers may provide information not readily available to organizations and be incorporated into organizational incident response plans. Developer information may also be extremely helpful, such as when organizations respond to vulnerabilities in commercial off-the-shelf products.

Practitioner Notes

Developers should have an incident response plan specific to their development environment and products. If a development environment is compromised or a vulnerability is found in deployed code, the team needs a clear response plan.

Example 1: Create a development-specific incident response plan that addresses: compromised developer credentials, malicious code injected into the repository, compromised build pipeline, and zero-day vulnerabilities in deployed products. Define who responds, how code is rolled back, and how customers are notified.

Example 2: Conduct tabletop exercises with your development team simulating scenarios like a compromised npm package in your dependencies, a developer laptop infected with malware, or a critical vulnerability reported by a security researcher. Practice the response and refine the plan based on lessons learned.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment