--- title: "NIST SP 800-61r3 FAQ" canonical_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/faq" source_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/faq" author: "Sorena AI" description: "Practical FAQ on NIST SP 800-61r3 covering what changed from r2, incident declaration, risk evaluation factors, containment versus observation." published_at: "2026-03-04" updated_at: "2026-03-04" keywords: - "NIST SP 800-61r3 FAQ" - "incident declaration criteria" - "risk evaluation factors" - "containment versus observation" - "evidence integrity" - "incident notifications" - "recovery criteria" - "GLOBAL compliance" - "NIST SP 800-61r3" - "Incident response FAQ" - "CSF 2.0" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # NIST SP 800-61r3 FAQ Practical FAQ on NIST SP 800-61r3 covering what changed from r2, incident declaration, risk evaluation factors, containment versus observation. *FAQ* *GLOBAL* ## NIST SP 800-61r3 FAQ Answers to the operational questions that matter during real incidents. Focused on Rev. 3 changes, risk-based prioritization, evidence handling, and recovery. SP 800-61r3 raises practical questions that older incident-response guidance did not handle as directly: when to declare an incident, how to prioritize by risk, whether to delay containment for observation, what evidence needs stronger protection, and when recovery should begin or end. This FAQ answers those questions using NISTs actual Rev. 3 structure and recommendations. ## What changed most from SP 800-61r2 The biggest change is scope. Rev. 3 no longer tries to be a static procedural handbook for every technology. Instead, it provides recommendations and considerations for incorporating incident response throughout cybersecurity risk management as a CSF 2.0 community profile. That is why the document puts so much emphasis on all six CSF Functions and continuous improvement. - Published April 2025 and supersedes r2 from August 2012 - Moves from a narrow incident-handling focus to a broader cyber risk management model - Uses CSF 2.0 categories and subcategories as the organizing structure ## What should trigger incident declaration and escalation Rev. 3 says incidents are declared when adverse events meet defined incident criteria. Teams should not improvise these thresholds during a crisis. Escalation and prioritization should be based on risk evaluation factors instead of first-come-first-served handling. - Use predefined incident criteria and known false-positive patterns during declaration - Estimate severity and urgency during preliminary review - Base prioritization on factors such as asset criticality, functional impact, data impact, stage of activity, threat actor characterization, and recoverability ## Can we delay containment to observe an attacker Sometimes yes, but NIST warns that delaying containment to monitor an attacker can be dangerous because the attacker may escalate access or compromise additional systems. The document says the incident team should discuss that strategy with legal before executing it. - Use predefined criteria for investigative delay versus immediate containment - Document approvals and the business-risk tradeoff - Fall back to containment quickly if the risk exceeds tolerance ## Do we need full chain of custody for every incident No. Rev. 3 explicitly notes that formal evidence gathering and chain-of-custody procedures may not be used for every incident. However, collected incident data is still evidence. Even when prosecution is unlikely, teams should preserve integrity, provenance, and access control for incident records and data. - Protect records, evidence, and metadata from unauthorized access or alteration - Follow evidence-preservation and retention procedures appropriate to the incident - Scale formality by legal risk, regulatory risk, and likelihood of external investigation ## How should notification and information sharing work Rev. 3 separates communication into four categories: incident coordination, incident notification, public communication, and incident information sharing. Each needs its own procedures and approval paths. Organizations should perform notifications in line with current laws, regulations, contracts, and internal policy. - Define who is notified, when, and through which channel - Coordinate with affected third parties, regulators, and law enforcement where criteria require it - Use secure information-sharing methods and approved media procedures ## When should recovery start and finish Rev. 3 says recovery should start when incident recovery criteria are met, taking into account the possible operational disruption of the recovery actions themselves. Recovery ends when restoration criteria are met, restored assets are verified, normal operating status is confirmed, and the incident documentation is completed. - Select recovery actions based on timeliness, precision, reliability, and available resources - Verify restored assets for indicators of compromise before production use - Declare the end of recovery using predefined criteria and complete the after-action report *Recommended next step* *Placement: after the FAQ section* ## Use NIST SP 800-61r3 FAQ as a cited research workflow Research Copilot can take NIST SP 800-61r3 FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on NIST SP 800-61r3 can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Research Copilot for NIST SP 800-61r3 FAQ](/solutions/research-copilot.md): Start from NIST SP 800-61r3 FAQ and answer scope, timing, and interpretation questions with cited outputs. - [Talk through NIST SP 800-61r3](/contact.md): Review your current process, evidence gaps, and next steps for NIST SP 800-61r3 FAQ. ## Primary sources - [NIST SP 800-61r3 - DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - Primary source for incident response recommendations and CSF 2.0 profile alignment. - [NIST SP 800-61r3 publication page](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Official publication details, updates, and related resources. - [NIST CSF 2.0 (CSWP 29) - DOI](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Framework context referenced by SP 800-61r3. ## Related Topic Guides - [NIST SP 800-61r3 Compliance Playbook | CSF 2.0 Incident Response](/artifacts/global/nist-sp-800-61-rev-3/compliance.md): Grounded incident-response playbook for NIST SP 800-61r3 covering the CSF 2.0 community-profile model, roles, risk-based incident management, communications. - [NIST SP 800-61r3 Incident Response Playbook Template](/artifacts/global/nist-sp-800-61-rev-3/incident-response-playbook-template.md): Grounded incident-response playbook template based on NIST SP 800-61r3 with incident criteria, incident lead, risk evaluation factors, communications tracks. - [NIST SP 800-61r3 Severity Classification and SLA Model](/artifacts/global/nist-sp-800-61-rev-3/severity-classification-and-sla-model.md): Grounded severity and SLA model for NIST SP 800-61r3 using NIST risk evaluation factors such as asset criticality, impact, scope, threat behavior. - [NIST SP 800-61r3 vs ISO 27035 | Incident Response Comparison](/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-iso-27035.md): Grounded comparison of NIST SP 800-61r3 and ISO 27035 covering the CSF 2.0 community-profile model, management-process structure, communications, recovery. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/faq