NIST SP 800-61 — LLMpedia

NIST SP 800-61
Name	NIST Special Publication 800-61
Author	National Institute of Standards and Technology
Country	United States
Language	English
Subject	Computer security incident handling
Published	2004, revised 2012 (rev. 2)
Pages	124

Contents

NIST SP 800-61 is a United States federal guidance document issued by the National Institute of Standards and Technology that defines processes for computer security incident handling, drawing on practices used by Department of Homeland Security, Federal Bureau of Investigation, Central Intelligence Agency, United States Computer Emergency Readiness Team, and private sector responders. The publication informs incident response activities across agencies such as the Department of Defense, Department of Justice, and organizations following standards from groups like the International Organization for Standardization and the Payment Card Industry Security Standards Council.

Overview

NIST SP 800-61 presents a structured approach to incident response influenced by historical responses to events involving entities such as Conficker worm, Stuxnet, Sony Pictures Entertainment hack and lessons from operations by CERT Coordination Center, SANS Institute, and MITRE Corporation. The guidance situates incident handling alongside frameworks promulgated by ISO/IEC 27001, COBIT, NIST Cybersecurity Framework, and compliance regimes like Sarbanes–Oxley Act and Health Insurance Portability and Accountability Act enforcement activities involving Office for Civil Rights (OCR). It addresses coordination among stakeholders including Chief Information Officer offices in agencies, legal counsels influenced by precedents from United States v. Microsoft Corp. and international responses shaped by treaties such as the Budapest Convention on Cybercrime.

The publication defines a lifecycle with phases comparable to methodologies used in operations by United States Cyber Command, National Security Agency, CERT/CC and corporate responders to incidents like the Equifax data breach and Target data breach. Phases—preparation, detection and analysis, containment eradication and recovery, and post-incident activity—align with processes described in reports by Gartner, Forrester Research, and case studies from Cisco Systems and Microsoft. These stages guide playbooks used in tabletop exercises modeled on crisis simulations run by RAND Corporation and Harvard Kennedy School programs.

NIST SP 800-61 enumerates roles adopted in organizations influenced by structures from United States Secret Service investigations and private-sector incident response teams at firms like FireEye, CrowdStrike, Palo Alto Networks, and Symantec Corporation. It assigns responsibilities across roles analogous to titles found at Amazon Web Services, Google LLC, Apple Inc., and university computing centers associated with Massachusetts Institute of Technology and Stanford University. The guidance clarifies interaction with legal authorities such as Federal Trade Commission, State Attorneys General, and international authorities exemplified by Europol and INTERPOL.

Practical measures in the guidance mirror controls used by organizations following recommendations from Center for Internet Security benchmarks, National Cybersecurity Center of Excellence, and incident handling curricula from SANS Institute and (ISC)². Best practices include development of incident response plans, playbooks reflecting scenarios like ransomware attacks attributed to groups linked to events involving WannaCry and NotPetya, regular exercises modeled after efforts by NATO Cooperative Cyber Defence Centre of Excellence, and integration with risk management frameworks promulgated by Committee of Sponsoring Organizations of the Treadway Commission. Emphasis is placed on documentation, metrics, and after-action reviews similar to processes at United States Government Accountability Office audits.

The guidance encourages use of forensic and analysis tools akin to those developed by National Institute of Standards and Technology labs, commercial vendors such as Splunk, Wireshark, Volatility (software), EnCase, and orchestration platforms like Security Information and Event Management vendors and SOAR products used by enterprises including Facebook, IBM, and Intel Corporation. It discusses techniques drawn from digital forensics casework seen in investigations by Metropolitan Police Service cyber units and malware analysis approaches employed by Kaspersky Lab and Trend Micro. Automation recommendations reflect practices in continuous monitoring initiatives like Continuous Diagnostics and Mitigation and cloud-native responses in environments run by Microsoft Azure, Google Cloud Platform, and Amazon Web Services.

NIST SP 800-61 highlights legal and privacy constraints shaped by rulings such as Carpenter v. United States and statutes including Computer Fraud and Abuse Act and Electronic Communications Privacy Act, and interfaces with regulatory regimes like General Data Protection Regulation enforcement actions by national data protection authorities. It underscores coordination with counsel experienced in statutes enforced by Securities and Exchange Commission and reporting obligations under breach notification laws across jurisdictions exemplified by actions from New York Department of Financial Services and multinational corporate compliance programs at firms like Siemens and Volkswagen AG.

The original release and subsequent revision cycles reflect evolving threat landscapes with updates timed around major incidents like Operation Aurora and follow-on guidance coordinated with United States Computer Emergency Readiness Team advisories, updates to the NIST Cybersecurity Framework, and interoperability efforts with standards bodies such as IETF and OASIS. Revisions have been shaped by interagency working groups including participants from Office of Management and Budget and technical input from research organizations like Carnegie Mellon University Software Engineering Institute and industry stakeholders including Cisco Systems and Microsoft Corporation.

Category:Computer security