>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

IR-8Incident Response Plan

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Develop an incident response plan that:

1.

Provides the organization with a roadmap for implementing its incident response capability;

2.

Describes the structure and organization of the incident response capability;

3.

Provides a high-level approach for how the incident response capability fits into the overall organization;

4.

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

5.

Defines reportable incidents;

6.

Provides metrics for measuring the incident response capability within the organization;

7.

Defines the resources and management support needed to effectively maintain and mature an incident response capability;

8.

Addresses the sharing of incident information;

9.

Is reviewed and approved by organization-defined personnel or roles organization-defined frequency; and

10.

Explicitly designates responsibility for incident response to organization-defined entities, personnel, or roles.

b

Distribute copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements;

c

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

d

Communicate incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and

e

Protect the incident response plan from unauthorized disclosure and modification.

>DoD Impact Level Requirements

FedRAMP Parameter Values

IR-8 (a) (9)-2 [at least annually] IR-8 (b) [see additional FedRAMP Requirements and Guidance] IR-8 (d) [see additional FedRAMP Requirements and Guidance]

Additional Requirements and Guidance

IR-8 (b) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. IR-8 (d) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

>Discussion

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain.

For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

>Programmatic Queries

Beta

Related Services

Systems Manager Documents
Incident Manager
S3

CLI Commands

List SSM runbooks
aws ssm list-documents --filters 'Key=DocumentType,Values=Automation'
Check Incident Manager response plans
aws ssm-incidents list-response-plans
List S3 buckets for documentation
aws s3api list-buckets --query "Buckets[?contains(Name,'incident') || contains(Name,'runbook')]"
Get response plan details
aws ssm-incidents get-response-plan --arn ARN
Open AWS ConsoleDocumentation

>Related Controls

AC-2
CP-2
CP-4
IR-4
IR-7
IR-9
PE-6
PL-2
SA-15
SI-12
SR-8

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IR-8 (Incident Response Plan)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IR-8?
  • How frequently is the IR-8 policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IR-8 requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IR-8 requirements.
  • What automated tools, systems, or technologies are deployed to implement IR-8?
  • How is IR-8 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IR-8 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IR-8?
  • What audit logs, records, reports, or monitoring data validate IR-8 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IR-8 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IR-8 compliance?

Ask AI

Configure your API key to use AI features.