Incident Response and Contingency Activities

Incident Response and Contingency Activities in CGRC

Understanding Incident Response and Contingency Activities in Compliance Maintenance

Why Is This Important?

Incident response and contingency planning are critical components of maintaining the security posture of information systems after authorization. No system is immune to disruptions, whether caused by cyberattacks, natural disasters, hardware failures, or human error. Organizations must be prepared to detect, respond to, recover from, and learn from incidents to minimize damage, reduce recovery time, and protect sensitive data. Within the context of the Governance, Risk, and Compliance (GRC) framework and the Risk Management Framework (RMF), these activities fall squarely within the continuous monitoring and compliance maintenance phase. Failing to have robust incident response (IR) and contingency plans can result in prolonged outages, data breaches, regulatory penalties, and loss of authorization to operate (ATO).

What Is Incident Response?

Incident response refers to the organized approach to addressing and managing the aftermath of a security breach, cyberattack, or other significant event that threatens the confidentiality, integrity, or availability of information systems. The goal is to handle the situation in a way that limits damage, reduces recovery time and costs, and prevents recurrence.

NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide, outlines four primary phases of incident response:

1. Preparation – Establishing and training an incident response team, developing policies and procedures, acquiring necessary tools and resources, and conducting tabletop exercises.

2. Detection and Analysis – Identifying potential security incidents through monitoring, alerts, log analysis, and user reports. This phase involves determining the scope, severity, and impact of the incident.

3. Containment, Eradication, and Recovery – Containing the incident to prevent further damage, eliminating the root cause (e.g., removing malware, patching vulnerabilities), and restoring systems to normal operations.

4. Post-Incident Activity (Lessons Learned) – Conducting a thorough review of what happened, what was done, and what can be improved. This feedback loop is essential for strengthening future response capabilities and updating security controls.

What Is Contingency Planning?

Contingency planning focuses on ensuring the continuity of mission-critical operations when normal operations are disrupted. It is closely related to disaster recovery (DR) and business continuity planning (BCP) but has a specific focus within the federal and RMF context as defined in NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems.

A contingency plan typically includes:

- Business Impact Analysis (BIA) – Identifies critical system components, their dependencies, and the impact of disruption. This determines the Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

- Contingency Planning Policy Statement – A formal policy that provides the authority and guidance for developing the contingency plan.

- Recovery Strategies – Alternative processing sites (hot, warm, cold sites), data backup strategies, equipment replacement, and roles and responsibilities during recovery.

- Plan Testing, Training, and Exercises (TT&E) – Regularly testing the plan through tabletop exercises, functional exercises, and full-scale tests to ensure it works as intended.

- Plan Maintenance – Keeping the plan current by reviewing and updating it regularly, especially after significant changes to the system or environment.

How Do These Activities Work Within the RMF?

Within the RMF, incident response and contingency planning are addressed primarily through the following control families from NIST SP 800-53:

- IR (Incident Response) – Covers policies, procedures, training, testing, monitoring, reporting, and assistance related to incident handling.

- CP (Contingency Planning) – Covers contingency plan development, BIA, testing, training, alternate processing and storage sites, system backup, and recovery.

During the Authorization (Step 5) phase of the RMF, the authorizing official (AO) evaluates whether these plans are adequate. During Continuous Monitoring (Step 6), these plans must be maintained, tested, and updated as part of ongoing compliance.

Key relationships include:

- Incident response feeds into continuous monitoring by identifying new threats and vulnerabilities that may require updates to the system security plan (SSP), Plan of Action and Milestones (POA&M), or risk assessment.

- Contingency planning supports authorization by demonstrating that the organization can maintain operations even during adverse events, thereby reducing overall risk.

- Lessons learned from incidents and contingency plan testing may trigger reassessment of security controls or even reauthorization if changes are significant.

Key Concepts to Remember

- The incident response plan (IRP) and contingency plan (CP) are living documents that must be regularly reviewed, tested, and updated.

- Roles and responsibilities must be clearly defined, including the Computer Security Incident Response Team (CSIRT), contingency planning coordinator, system owner, and AO.

- Incidents must be reported to appropriate authorities (e.g., US-CERT for federal agencies) in accordance with organizational and regulatory requirements.

- The BIA is the foundation of contingency planning, determining what is most critical and how quickly it must be restored.

- RTO is the maximum tolerable downtime before unacceptable consequences occur. RPO is the maximum acceptable amount of data loss measured in time.

- Hot sites provide the fastest recovery but are the most expensive. Cold sites are the least expensive but take the longest to activate. Warm sites fall in between.

- Testing frequency and type should be commensurate with the system's FIPS 199 impact level (low, moderate, high).

How Incident Response and Contingency Activities Interact

These two disciplines are closely intertwined. During a significant security incident, the contingency plan may be activated to ensure continuity of operations. Conversely, a contingency event (such as a natural disaster) may create security incidents that require incident response procedures. The organization must ensure both plans are coordinated and that personnel are cross-trained.

---

Exam Tips: Answering Questions on Incident Response and Contingency Activities

1. Know the NIST publications. Be familiar with NIST SP 800-61 (Incident Response) and NIST SP 800-34 (Contingency Planning). Questions may reference specific phases, processes, or recommendations from these documents.

2. Understand the phases of incident response in order. Preparation → Detection and Analysis → Containment, Eradication, and Recovery → Post-Incident Activity (Lessons Learned). If a question asks what comes first or what should be done at a certain stage, map it to these phases.

3. Differentiate between incident response and contingency planning. IR deals with security events and breaches. CP deals with maintaining or restoring critical operations during disruptions. Questions may try to blur these lines — focus on the primary objective of each.

4. Remember that preparation is always the first step. Many questions will test whether you understand that having plans, teams, training, and tools in place before an incident is the most critical phase.

5. BIA is foundational to contingency planning. If a question asks what must be completed first in contingency planning, the answer is typically the Business Impact Analysis.

6. Know RTO and RPO definitions. These are frequently tested. RTO = how quickly you must recover. RPO = how much data loss is acceptable. If a question gives you a scenario and asks which metric applies, determine whether it is about time to restore services (RTO) or acceptable data loss window (RPO).

7. Hot, warm, and cold site distinctions. Hot = fully equipped and operational (fastest, most expensive). Warm = partially equipped. Cold = empty facility (slowest, cheapest). Questions often present a scenario and ask you to recommend the appropriate site type based on recovery requirements.

8. Post-incident activity and lessons learned are essential. Questions may test your understanding that after-action reviews are not optional — they are a required part of the incident response lifecycle that improves future response.

9. Understand reporting requirements. Federal agencies must report incidents to US-CERT. Know that timely reporting is a legal and policy requirement, not just a best practice.

10. Plan testing is mandatory, not optional. Contingency plans and incident response plans must be tested regularly. The type and frequency of testing depends on the system's impact level. High-impact systems require more rigorous and frequent testing.

11. Recognize trigger words in questions. If you see words like disruption, continuity, alternate site, backup, recovery, think contingency planning (CP family). If you see breach, attack, malware, compromise, forensics, think incident response (IR family).

12. Link activities back to the RMF. Remember that incident response and contingency activities are part of Step 6 (Monitor) of the RMF. They support ongoing authorization by ensuring that the organization can detect, respond to, and recover from events that could impact the system's security posture.

13. Elimination strategy. When faced with difficult questions, eliminate answers that skip phases (e.g., jumping to recovery without containment), confuse IR with CP, or suggest that planning activities occur after the incident rather than before.

14. Scenario-based questions. For complex scenarios, ask yourself: (a) What phase of IR or CP does this scenario describe? (b) What is the next logical step? (c) Who is responsible? This structured thinking will guide you to the correct answer.

15. Remember the connection to POA&M. Findings from incidents or contingency plan tests that reveal deficiencies should be documented in the Plan of Action and Milestones (POA&M) and tracked to resolution. This is a common exam topic that links incident response and contingency activities back to ongoing compliance and authorization.