--- title: "NIST SP 800-61r3" canonical_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3" source_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3" author: "Sorena AI" description: "Grounded NIST SP 800-61r3 guidance covering the April 2025 CSF 2.0 community profile, incident management, incident analysis, response communications." published_at: "2026-03-04" updated_at: "2026-03-04" keywords: - "NIST SP 800-61r3" - "incident response recommendations and considerations for cybersecurity risk management" - "CSF 2.0 community profile" - "incident management" - "incident analysis" - "response communication" - "incident mitigation" - "incident recovery" - "evidence integrity and provenance" - "NIST incident response" - "Incident response" - "CSF 2.0" - "Cybersecurity operations" - "Global compliance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # NIST SP 800-61r3 Grounded NIST SP 800-61r3 guidance covering the April 2025 CSF 2.0 community profile, incident management, incident analysis, response communications. ![NIST SP 800-61r3 artifact preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-global-nist-sp-800-61-rev-3-small.jpg?v=cheatsheets%2Fprod) *NIST SP 800-61r3* *Free Resource* ## NIST SP 800-61r3 Incident response and recovery implementation hub Use these guides to implement NIST SP 800-61r3 as a modern incident-response capability: integrate incident response across all six CSF 2.0 Functions, manage incidents with explicit risk evaluation factors, preserve record and evidence integrity, coordinate notifications and information sharing, and execute recovery with declared end-state criteria. Grounded to NIST SP 800-61r3, published April 2025 and approved March 25, 2025. Revision 3 supersedes SP 800-61r2 and replaces the old static lifecycle framing with a CSF 2.0 community-profile model centered on continuous improvement. [Jump to guides](#topics) ## What this artifact helps you do - **Run incident response across CSF 2.0**: Use Govern, Identify, and Protect for preparation, Detect, Respond, and Recover for active handling, and Identify Improvement for lessons learned. - **Prioritize and manage incidents by risk**: Use asset criticality, impact, scope, threat behavior, and recoverability to decide triage, escalation, and when recovery starts. - **Preserve trustworthy response records**: Protect the integrity and provenance of investigation actions, incident data, and recovery records so decisions are defensible later. By Sorena AI | Updated 2026 | No signup required ### Quick scan *IR* - **Compliance playbook**: How Rev. 3 reframes incident response as cybersecurity risk management. - **Playbook template**: A scenario-ready structure for triage, mitigation, communication, and recovery. - **Severity and SLA model**: How to convert NIST risk evaluation factors into prioritization and response timing. SP 800-61r3 is strongest when the incident team, asset owners, leadership, legal, privacy, suppliers, and recovery teams operate from the same incident model. | Value | Metric | | --- | --- | | Apr 2025 | Published | | CSF 2.0 | Profile | | RS plus RC | Integrated | | Evidence | Preserved | **Key highlights:** Analyze | Communicate | Recover ## Topic Guides - [NIST SP 800-61r3 Compliance Playbook | CSF 2.0 Incident Response](/artifacts/global/nist-sp-800-61-rev-3/compliance.md): Grounded incident-response playbook for NIST SP 800-61r3 covering the CSF 2.0 community-profile model, roles, risk-based incident management, communications. - [NIST SP 800-61r3 FAQ | Practical Incident Response Questions](/artifacts/global/nist-sp-800-61-rev-3/faq.md): Practical FAQ on NIST SP 800-61r3 covering what changed from r2, incident declaration, risk evaluation factors, containment versus observation. - [NIST SP 800-61r3 Incident Response Playbook Template](/artifacts/global/nist-sp-800-61-rev-3/incident-response-playbook-template.md): Grounded incident-response playbook template based on NIST SP 800-61r3 with incident criteria, incident lead, risk evaluation factors, communications tracks. - [NIST SP 800-61r3 Severity Classification and SLA Model](/artifacts/global/nist-sp-800-61-rev-3/severity-classification-and-sla-model.md): Grounded severity and SLA model for NIST SP 800-61r3 using NIST risk evaluation factors such as asset criticality, impact, scope, threat behavior. - [NIST SP 800-61r3 vs ISO 27035 | Incident Response Comparison](/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-iso-27035.md): Grounded comparison of NIST SP 800-61r3 and ISO 27035 covering the CSF 2.0 community-profile model, management-process structure, communications, recovery. ## Explore NIST SP 800-61r3 guides *Guides* Use these subpages for implementation depth: compliance, FAQ, playbook template, framework comparison, and severity/SLA model. ## How to run incident response as continuous cyber risk management *Implementation* Treat incident response as a continuous risk management capability, not a closed loop that waits for a final postmortem. Use the CSF 2.0 Functions to prepare, detect, manage, analyze, communicate, mitigate, recover, and continuously improve based on lessons learned identified during and after incidents. *Next step* ## Turn NIST SP 800-61r3 Incident response and recovery implementation hub into an operational assessment workflow NIST SP 800-61r3 Incident response and recovery implementation hub should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into SSOT when the artifact needs deeper research, evidence governance, or supporting analysis. - Start from NIST SP 800-61r3 Incident response and recovery implementation hub and route the work by entity, product, team, or control owner. - Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints. - Use SSOT to keep documents, evidence, and control records in one governed system. - Move from artifact reading to accountable execution without rebuilding the guidance in separate files. - [Open Assessment Autopilot](/solutions/assessment.md): Turn the guidance into owned tasks, evidence requests, and review checkpoints for NIST SP 800-61r3 Incident response and recovery implementation hub. - [Open SSOT](/solutions/ssot.md): Keep documents, evidence, and control records in one governed system from the same artifact. - [Talk through NIST SP 800-61r3 Incident response and recovery implementation hub](/contact.md): Review your current process, evidence model, and next steps for NIST SP 800-61r3 Incident response and recovery implementation hub. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3