Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Incident Response


NIST has released a new draft of Special Publication (SP) 800-61 Revision 3 for public comment! Your comments on Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile are welcome through May 20, 2024.

NIST SP 800-61 Revision 3 seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for incident responses, reduce the number of incidents that occur and the impact of the incidents that occur, and improve the efficiency and effectiveness of their incident detection, response, and recovery activities. Once this publication is finalized, it will supersede SP 800-61 Revision 2, Computer Security Incident Handling Guide.

The new incident response life cycle model used in this publication is shown in the figure. The top half reflects that the preparation activities in Govern, Identify, and Protect are not part of the incident response life cycle; they are much broader cybersecurity risk management activities that also support incident response. The new response life cycle for each incident is shown in the bottom half of the figure: Detect, Respond, and Recover. Finally, the need for continuous improvement is indicated by the Improvement Category within the Identify Function and the dashed green lines. Lessons learned from performing all activities in all Functions are fed into Improvement, and those lessons learned are analyzed and prioritized, then used to inform all the Functions.

Incident Response Preparation and Life Cycle

The scope of Revision 3 is significantly different from previous revisions. Because the details of how to perform incident response activities change so often and vary so much across technologies, environments, and organizations, it is no longer feasible to capture and maintain that information in a single static publication. Instead, this revision focuses on continuous improvement of cybersecurity risk management for all of the NIST CSF 2.0 Functions. That better supports organizations' incident response capabilities and addresses the increasing volume of damaging incidents with extended recovery periods. 

NIST encourages people to utilize online resources, including the selected examples listed for Preparation Resources and Life Cycle Resources, in conjunction with SP 800-61 Revision 3 and NIST CSF 2.0, to access additional information on implementing the recommendations and considerations in the publication. 

Your comments and suggestions for the Incident Response project are always welcome, including feedback on the listed resources and suggestions for additional vendor-neutral resources to include. Contact us at

Back to Top

Created February 29, 2024, Updated April 03, 2024