Earlier in April, the U.S. National Institute of Standards and Technology (“NIST”) published Special Publication (“SP”) 800-61, Incident Response Recommendations and Considerations for Cybersecurity Risk Management, Revision 3 (“NIST SP 800-61”).  NIST SP 800-61 Revision 3 (“Revision 3”) is a significant change, as it not only represents the first update of the document since 2012, but also now maps the document’s recommendations and considerations for incident response to the six functions outlined in the recently-updated NIST Cybersecurity Framework 2.0—Govern, Identify, Protect, Detect, Respond, and Recover.  As a result, Revision 3 includes significant new recommendations and guidance for incident response, and entities should consider reviewing and updating their incident response plans and procedures to incorporate these recommendations, particularly if an entity has aligned its cybersecurity program with the NIST Cybersecurity Framework or used the prior versions of NIST SP 800-61 as a basis for existing incident response plans or procedures.

NIST SP 800-61, which was first published in 2008 and last updated in 2012, is designed to assist organizations with cybersecurity incident response and cybersecurity risk management.  In Revision 3, NIST “[p]erformed a full rewrite of the previous content to improve clarity and usability and to remove outdated material,” and “[s]hifted the focus of the document from guidelines on detecting, analyzing, prioritizing, and handling incidents to recommendations and considerations for incorporating cybersecurity incident response considerations throughout an organization’s cybersecurity risk management activities.”

Figure 1. Revision 3 Incident response life cycle model based on CSF 2.0 Functions

Figure 2. Previous incident response life cycle model.

Revision 3 includes multiple significant updates, including:

  • Mapping Directly to NIST Cybersecurity Framework 2.0 – As the prior Revision 2 of NIST 800-61 was published in 2012, before the publication of the NIST Cybersecurity Framework 1.0 in 2014, Revision 2 does not map to the NIST Cybersecurity Framework.  For the first time, NIST 800-61 Revision 3 “uses the [Cybersecurity Framework] 2.0 Functions, Categories, and Subcategories to organize its recommendations, considerations, and other information regarding incident response.”  In light of this update, entities might also consider revisiting and updating their own incident response policies and procedures to reflect recent changes in Revision 3 and Cybersecurity Framework 2.0.
  • Life Cycle Model Restructure –  Revision 3 proposes a new Incident Response Life Cycle Model that, according to NIST, seeks to address a changed incident response landscape where incidents occur more frequently and are increasingly complex and dynamic.  As a result, the new Life Cycle Model in Revision 3 recognizes that incident preparation activities, which fall under Govern, Identify, and Protect in the Cybersecurity Framework, are not limited to incident response but reflect broader, ongoing cybersecurity risk management and incident preparation activities.  Therefore, these Cybersecurity Framework functions are now broken out into the bottom level, or foundation, of the Life Cycle Model, labeled “Preparation”.  By contrast, activities specific to incident response—which fall under the functions Detect, Respond, and Recover—make up the top level, titled “Incident Response”.  In addition, the new Life Cycle Model includes a middle section, titled “Lessons Learned” to emphasize the importance of continuous improvement (tied to the Identify Function within the Cybersecurity Framework).  In updating the life cycle model, NIST acknowledges that every organization varies, and as a result, the appropriate life cycle framework or model may also vary by organization (e.g., “larger and more technology-dependent organizations are likely to benefit more from using a framework or model emphasizing continuous improvement”).  Ultimately, NIST emphasizes that whatever the model used, incident response should be integrated as part of an organization’s broader cybersecurity risk management activities.
  • Cybersecurity Framework Recommendations – Revision 3 includes a significant number of recommendations and substantive considerations in two new extensive tables that explicitly map to the functions, categories, and subcategories in the Cybersecurity Framework.  One table addresses the functions related to preparation and lessons learned (Govern, Identify, and Protect), and the other addresses functions more specifically related to incident response (Detect, Respond, and Recover).  As a few examples, some of the key recommendations from these tables that are marked as high priority are: 1) the synchronization of business continuity plans with incident response plans since incidents have the potential to undermine business continuity; 2) the implementation of continuous monitoring “for unauthorized activity, deviations from expected activity, and changes in security posture,” which should involve monitoring of networks and network services, hardware and software, personnel activity and technology usage, and external service provider activities; and 3) consideration for how to use and rely upon technological solutions to filter large, potentially adverse, event datasets down to a subset that is suitable for human viewing and analysis.
  • Continuous Improvement – Another point of emphasis for Revision 3 is a greater focus on flexibility and a continued cycle of learning as part of ongoing incident response preparation and cybersecurity risk management.   While most entities have included lessons learned at the conclusion of their incident response processes, Revision 3 suggests that lessons learned can also be a continuous process informing preparation, the incident response, as well as recovery to “keep up with modern threats.”  In addition to after action reviews following an incident, entities can implement this recommendation through periodic tabletop exercises as well as integrating learnings from periodic risk assessments or reviews of their broader cybersecurity program into their incident response procedures.

Finally, Revision 3 recognizes that details of incident response best practices “change so often and vary so much across technologies, environments, and organizations, it [therefore] is no longer feasible to capture and maintain . . . information in a single static publication.”  Instead, given the rapid pace of incident response, NIST established a new Incident Response website where NIST will host links to incident response resources.  NIST said that “[b]y moving links from [SP 800-61] to a website, NIST can update and expand them as needed without having to release a new version of [SP 800-61].”

Tags: Cybersecurity, Data Breach, Data Security
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Read more about Ashden FeinEmail
Show more Show less
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Read more about Micaela McMurroughEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Read more about Caleb SkeathEmail
Show more Show less
Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity and national security matters, with a particular focus on risk management and governance, regulatory compliance, incident response and crisis management, and internal and government investigations.

Moriah specializes in counseling clients on a variety…

Moriah Daugherty advises clients on a broad range of cybersecurity and national security matters, with a particular focus on risk management and governance, regulatory compliance, incident response and crisis management, and internal and government investigations.

Moriah specializes in counseling clients on a variety of issues related to cybersecurity risk management and governance, including evaluating security controls, practices, and policies and preparing for cybersecurity incidents and data breaches, including the potential for related investigations, regulatory inquiries, and litigation. She regularly counsels clients on responding to a broad range of cybersecurity incidents, including breaches of personal data and incidents involving extortion and ransomware, targeting and theft of intellectual property by advanced persistent threats, and state-sponsored theft of sensitive U.S. government information.

Drawing on her government experience, Moriah leads cyber-related internal investigations and investigations conducted in response to government inquiries, whistleblower complaints, and threats of litigation, including matters involving allegations of noncompliance with U.S. government cybersecurity regulations and fraud under the False Claims Act.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

Read more about Moriah DaughertyEmail
Show more Show less
Photo of Sierra Stubbs Sierra Stubbs

Sierra Stubbs advises clients on a wide range of cybersecurity, data privacy, artificial intelligence, and public policy matters. As part of her data privacy and cybersecurity practice, Sierra helps clients navigate government and internal investigations, cybersecurity incident response, and compliance with U.S. state…

Sierra Stubbs advises clients on a wide range of cybersecurity, data privacy, artificial intelligence, and public policy matters. As part of her data privacy and cybersecurity practice, Sierra helps clients navigate government and internal investigations, cybersecurity incident response, and compliance with U.S. state and federal privacy and cybersecurity laws and standards. As part of her public policy practice, Sierra supports the development of clients’ public policy strategies and initiatives, including those related to intellectual property, innovation, and artificial intelligence.

Prior to joining Covington, Sierra served in the Office of the Chief of Staff to the U.S. Secretary of Commerce, most recently as a Special Advisor.

Read more about Sierra StubbsEmail
Show more Show less
Krissy Chapman

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal…

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal investigations, and regulatory compliance.

Prior to joining the firm, Krissy served as a consultant in both the private and public sectors, advising clients across a range of industries, including transportation and infrastructure, life sciences and healthcare, and national security.

Read more about Krissy ChapmanEmail
Show more Show less