NIST Special Publication 800-171 Revision 2

Date Published: January 28th, 2021

Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3

Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)

Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here

AC-3.6.3 Test the organizational incident response capability.

Control Family: Incident Response

Control Type: Derived

SPRS Value: 1

SPRS Supplemental Guidance:

N/A

CMMC Level(s):

IR.L2-3.6.3

Top Ten Failed Requirement:

#9

Referenced in:

DFARS 252.204-7012

Derived From: NIST SP 800-53r4

IR-2
IR-4
IR-5
IR-6
IR-7

NIST Supplemental Guidance:

[SP 800-84]

Discussion:

Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.

[SP 800-84] provides guidance on testing programs for information technology capabilities.

Upon assessment, assessors must determine if-

Determine if the incident response capability is tested.

Assessors are instructed to-

Examine: [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident response testing; procedures addressing contingency plan testing; incident response testing material; incident response test results; incident response test plan; incident response plan; contingency plan; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with incident response testing responsibilities; personnel with information security responsibilities; personnel with responsibilities for testing plans related to incident response].

Test: [SELECT FROM: Mechanisms and processes for incident response].

Control Families

3.1: Access Control

3.2: Awareness and Training

3.3: Audit and Accountability

3.4: Configuration Management

3.5: Identification and Authentication

3.6: Incident Response

3.7: Maintenance

3.8: Media Protection

3.9: Personnel Security

3.10: Physical Protection

3.11: Risk Assessment

3.12: Security Assessment

3.13: System and Communications Protection

3.14: System and Information Integrity