RS: Respond

Next Version:


The goal of the Respond function is to develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

Framework Categories

RS.AN: Analysis

Analysis is conducted to ensure effective response and support recovery activities.

RS.CO: Communications

Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).

RS.IM: Improvements

Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

RS.MI: Mitigation

Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

RS.RP: Response Planning

Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.