Continue your mission
The NIST Incident Response Framework from SP 800-61 defines four phases of incident handling: Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident Activity.
The NIST Incident Response Framework, defined in NIST Special Publication 800-61 (Computer Security Incident Handling Guide), provides a four-phase approach to incident response: Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident Activity. It is the most widely adopted incident response framework in the United States and serves as the foundation for incident response programs across government agencies, critical infrastructure, and private sector organizations.
The Preparation phase establishes the incident response capability through team formation, tool deployment, training, and playbook development. Detection and Analysis covers the identification of incidents through alerts, log analysis, and threat intelligence, followed by validation, classification, and prioritization. Containment Eradication and Recovery is the active response phase where threats are isolated, malicious artifacts are removed, and affected systems are restored to normal operations. The framework distinguishes between short-term containment (immediate threat isolation) and long-term containment (sustained measures while eradication is completed). Post-Incident Activity includes lessons learned meetings, evidence retention, and process improvement based on findings.
NIST 800-61 provides a vendor-neutral, publicly available framework that organizations of any size can adopt. Its four-phase structure is intuitive and aligns with the natural progression of incident handling. The framework's emphasis on preparation and post-incident activity ensures that organizations invest in prevention and continuous improvement, not just reactive response. Federal agencies are required to follow NIST guidelines, and many regulatory frameworks reference 800-61 as the standard for incident response capability.
CDA's incident response missions are built on the NIST framework, extended with CDA's PDM domain model. Our C-BUILD campaigns establish the Preparation phase capabilities, while C-HARDEN missions stress-test Detection and Analysis through adversary simulation. The NIST framework's phases map directly to CDA theater missions, providing a familiar structure for organizations building their incident response programs through CDA's campaign tiers.
CDA Theater missions that address topics covered in this article.
Evidence collection and chain of custody ensure digital evidence maintains integrity and legal admissibility through forensically sound gathering techniques, cryptographic verification, and documented handling records.
Incident response plan development creates a structured, documented approach for handling cybersecurity incidents, defining roles, procedures, and communication protocols to enable rapid, coordinated response.
Written by CDA Editorial
Found an issue? Help improve this article.