RS.CO-02: Internal and external stakeholders are notified of incidents

Previous Version:

Info icon.

Incorporates the following subcategorys from the previous version of the framework: RS.CO-2: Incidents are reported consistent with established criteria, RS.CO-3: Information is shared consistent with response plans.


[ Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

3rd: 3rd Party Risk

Ex1: Follow the organization's breach notification procedures after discovering a data breach incident, including notifying affected customers

Ex2: Notify business partners and customers of incidents in accordance with contractual requirements

Ex3: Notify law enforcement agencies and regulatory bodies of incidents based on criteria in the incident response plan and management approval