SA-15(10): Incident Response Plan

Control Family:

System And Services Acquisition

Parent Control:

SA-15: Development Process, Standards, And Tools

Priority:

P2: Implement P2 security controls after implementation of P1 controls.

CSF v1.1 References:

ID.SC-2
PR.IP-2

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
SA-15(10): Incident Response Plan

Control Statement

The organization requires the developer of the information system, system component, or information system service to provide an incident response plan.

Supplemental Guidance

The incident response plan for developers of information systems, system components, and information system services is incorporated into organizational incident response plans to provide the type of incident response information not readily available to organizations. Such information may be extremely helpful, for example, when organizations respond to vulnerabilities in commercial off-the-shelf (COTS) information technology products.