RS.AN-06: Actions performed during an investigation are recorded, and the records’ integrity and provenance are preserved

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: RS.AN-3: Forensics are performed.


[ Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Require each incident responder and others (e.g., system administrators, cybersecurity engineers) who perform incident response tasks to record their actions and make the record immutable

Ex2: Require the incident lead to document the incident in detail and be responsible for preserving the integrity of the documentation and the sources of all information being reported