---
title: "NIST SP 800-61 Rev. 3 FAQ: practical implementation questions"
canonical_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/faq"
source_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/faq/items"
author: "Sorena AI"
description: "Standalone NIST SP 800-61 Rev. 3 FAQ questions with source-linked answers, implementation checklists, and evidence guidance."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "NIST SP 800-61 Rev. 3 FAQ"
  - "NIST questions"
  - "implementation answers"
  - "evidence checklist"
  - "NIST SP 800-61"
  - "Incident response"
  - "CSF 2.0"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# NIST SP 800-61 Rev. 3 FAQ: practical implementation questions

Standalone NIST SP 800-61 Rev. 3 FAQ questions with source-linked answers, implementation checklists, and evidence guidance.

*FAQ* *GLOBAL* *NIST SP 800-61 Rev. 3*

## NIST SP 800-61 Rev. 3 FAQ: practical implementation questions

Answers to practical NIST SP 800-61 Rev. 3 questions with source-linked implementation guidance.

Turn guidance into a standalone operating path with clear scope, accountable owners, evidence requirements, review cadence, and decision outputs.

Use these NIST SP 800-61 Rev. 3 FAQs when a team needs a short answer that still preserves scope, evidence, and source accuracy. Each answer should stand alone in search results and link back to the practical workflow pages.

## Browse sub-FAQ modules

### [How should teams handle communications under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/communications.md)

How should teams handle communications under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.

- 2 items

### [How should teams handle event vs. incident under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/event-vs-incident.md)

How should teams handle event vs. incident under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.

- 2 items

### [How should teams handle lessons learned under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/lessons-learned.md)

How should teams handle lessons learned under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.

- 2 items

### [How should teams handle post-incident evidence under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/post-incident-evidence.md)

How should teams handle post-incident evidence under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.

- 2 items

### [How should teams handle reporting clocks under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/reporting-clocks.md)

How should teams handle reporting clocks under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.

- 2 items

### [How should teams handle severity under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/severity.md)

How should teams handle severity under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.

- 2 items

### [What should recovery include in a NIST SP 800-61 Rev. 3 incident response process?](/artifacts/global/nist-sp-800-61-rev-3/faq/recovery.md)

Recovery should include restoring affected services, validating that the incident is contained, confirming monitoring is in place, communicating status, preserving evidence, and deciding when normal operations can safely resume.

- 2 items

### [Which CSIRT roles should teams define under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/csirt-roles.md)

Which CSIRT roles should teams define under NIST SP 800-61 Rev. 3? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.

- 2 items

Browse all indexed questions: [/artifacts/global/nist-sp-800-61-rev-3/faq/items](/artifacts/global/nist-sp-800-61-rev-3/faq/items.md)

## All FAQ items

*Page 1 of 1. Showing 16 of 16 items.*

### [How should teams handle communications under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/communications.md#how-should-teams-handle-communications-under-nist-sp-800-61-rev-3-incident-response)

*Module: [How should teams handle communications under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/communications.md)*

Use communications to coordinate the incident response, notify affected customers, employees, partners, regulators, or others when required, share information with designated stakeholders, and handle media or public updates through approved channels.

- Coordinate internal and external incident response activities among the people who have incident response roles and responsibilities.
- Notify affected parties when the incident response plan, laws, regulations, or contracts require it, and follow established procedures for what must be reported and when.
- Use public affairs and media relations for public updates, and keep senior leadership informed on major incidents.
- Share cyber threat information only with designated stakeholders and in line with response plans and information sharing agreements.
- Set a change trigger so the communication decision is reviewed after changes to the incident, the legal or contractual environment, or the affected service, supplier, or product.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [What evidence should support communications under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/communications.md#what-evidence-should-support-communications-under-nist-sp-800-61-rev-3)

*Module: [How should teams handle communications under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/communications.md)*

Use the NIST SP 800-61 Rev. 3 decision path to make this topic review-ready: define the decision, identify stakeholders, attach source evidence, assign ownership, document gaps, and set a reassessment trigger.

- Write the decision and scope in one sentence.
- Attach the source-linked evidence that proves the current state.
- Name the accountable owner and backup reviewer.
- Record unresolved gaps, accepted risk, and dependencies.
- Set a date or event trigger for reassessment.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [How should teams handle event vs. incident under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/event-vs-incident.md#how-should-teams-handle-event-vs-incident-under-nist-sp-800-61-rev-3-incident-response)

*Module: [How should teams handle event vs. incident under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/event-vs-incident.md)*

Start with the event record, then decide whether the facts justify incident handling. NIST SP 800-61 Rev. 3 defines an event as any observable occurrence involving computing assets, and says a cybersecurity incident is an occurrence that actually or imminently jeopardizes confidentiality, integrity, or availability, or violates law or security policy.

- Treat the event as the starting point for triage, not the final classification.
- Use the incident definition to decide whether the activity requires incident response.
- Preserve the event record when escalation occurs so the incident file shows why the decision was made.
- Keep the handling path reviewable by documenting the facts, owner, and escalation rationale.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [What evidence should support event vs. incident under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/event-vs-incident.md#what-evidence-should-support-event-vs-incident-under-nist-sp-800-61-rev-3)

*Module: [How should teams handle event vs. incident under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/event-vs-incident.md)*

Keep enough evidence to show what was observed, what was decided, and why the team moved forward or stopped. That usually means the alert or log entry, the triage notes, the incident criteria that were applied, and the escalation rationale.

- Write the decision and scope in one sentence.
- Attach the source-linked evidence that proves the current state.
- Name the accountable owner and backup reviewer.
- Record unresolved gaps, accepted risk, and dependencies.
- Set a date or event trigger for reassessment.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [What belongs in a solid lessons-learned answer?](/artifacts/global/nist-sp-800-61-rev-3/faq/lessons-learned.md#what-belongs-in-a-solid-lessons-learned-answer)

*Module: [How should teams handle lessons learned under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/lessons-learned.md)*

Define the event scope, accountable owner, source-linked requirement, evidence artifact, and review trigger before treating the outcome as a public, customer-facing, audit, procurement, or internal control commitment.

- Define the lessons learned scope and source-linked trigger before assigning the work.
- Create evidence that proves the lessons learned decision for the specific product, service, supplier, control, certificate profile, or implementation context.
- Set a change trigger so the answer is reviewed after material source, product, supplier, platform, audit, or process changes.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [What evidence should support lessons learned under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/lessons-learned.md#what-evidence-should-support-lessons-learned-under-nist-sp-800-61-rev-3)

*Module: [How should teams handle lessons learned under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/lessons-learned.md)*

Use the NIST SP 800-61 Rev. 3 decision path to make this topic review-ready: define the decision, attach source evidence, assign ownership, document gaps, and set a reassessment trigger.

- Write the decision and scope in one sentence.
- Attach the source-linked evidence that proves the current state.
- Name the accountable owner and backup reviewer.
- Record unresolved gaps, accepted risk, and dependencies.
- Set a date or event trigger for reassessment.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [How should teams handle post-incident evidence under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/post-incident-evidence.md#how-should-teams-handle-post-incident-evidence-under-nist-sp-800-61-rev-3-incident-response)

*Module: [How should teams handle post-incident evidence under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/post-incident-evidence.md)*

Collect the incident data and metadata that explain what happened, which systems were involved, and what actions were taken. NIST SP 800-61 Rev. 3 notes that formal evidence gathering and chain-of-custody handling may not be needed for every incident, but the collected data is still evidence and its integrity and provenance should be preserved.

- Collect incident data and metadata that support analysis, recovery, and documentation.
- Preserve the integrity and provenance of records and evidence.
- Follow evidence preservation procedures and data retention policies when deciding what to retain.
- Consider whether the incident may lead to prosecution or other legal action.
- Weigh the cost of keeping the data, plus the hardware and software needed to access it later.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [What evidence should support post-incident evidence under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/post-incident-evidence.md#what-evidence-should-support-post-incident-evidence-under-nist-sp-800-61-rev-3)

*Module: [How should teams handle post-incident evidence under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/post-incident-evidence.md)*

Keep the supporting record simple and practical: write what happened, what was collected, where it is stored, who owns it, and when it should be reviewed or disposed of. If you cannot show that the evidence came from a controlled process, the record is harder to trust.

- Write the decision and scope in one sentence.
- Attach the source-linked evidence that proves the current state.
- Name the accountable owner and backup reviewer.
- Record unresolved gaps, accepted risk, and dependencies.
- Set a date or event trigger for reassessment.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [How should teams handle reporting clocks under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/reporting-clocks.md#how-should-teams-handle-reporting-clocks-under-nist-sp-800-61-rev-3-incident-response)

*Module: [How should teams handle reporting clocks under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/reporting-clocks.md)*

In practice, reporting clocks are the deadlines and update points that drive incident coordination, incident notification, and public communication. NIST SP 800-61r3 says organizations should have mechanisms in place in advance to coordinate with affected parties, follow established procedures for what must be reported to whom and at what times, and perform notifications in compliance with current laws and regulations.

- Define when reporting starts and which incident types trigger a clock.
- Document who reports, who approves, and who receives each update.
- Specify what must be reported, including initial notice and regular status updates.
- Review the clock whenever laws, contracts, suppliers, or internal procedures change.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [What evidence should support reporting clocks under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/reporting-clocks.md#what-evidence-should-support-reporting-clocks-under-nist-sp-800-61-rev-3)

*Module: [How should teams handle reporting clocks under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/reporting-clocks.md)*

Keep the evidence practical and reviewable. A reader should be able to identify who owns the decision, which source supports it, what artifact proves it, and when it needs to be revisited.

- Write the decision and scope in one sentence.
- Attach the source-linked evidence that proves the current state.
- Name the accountable owner and backup reviewer.
- Record unresolved gaps, accepted risk, and dependencies.
- Set a date or event trigger for reassessment.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [How should teams handle severity under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/severity.md#how-should-teams-handle-severity-under-nist-sp-800-61-rev-3-incident-response)

*Module: [How should teams handle severity under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/severity.md)*

Use severity as a triage label, not a guess. When a report comes in, first verify that a cybersecurity incident has occurred, then estimate the severity of the incident and the level of urgency needed to respond to it.

- Estimate severity during preliminary review, after confirming the report is a cybersecurity incident.
- Base the decision on factors such as asset criticality, functional impact, data impact, stage of observed activity, threat actor characterization, and recoverability.
- Use the severity result to prioritize response actions, escalation, and when recovery should begin.
- Keep the criteria in the incident response policy so severity decisions are consistent across teams and incidents.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [What evidence should support severity under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/severity.md#what-evidence-should-support-severity-under-nist-sp-800-61-rev-3)

*Module: [How should teams handle severity under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/severity.md)*

Document the severity decision, the criteria used, and the main factors that drove the triage outcome. That record should show why the incident was placed at its current severity and whether recovery can start now or should wait for more analysis.

- Write the severity decision and the reason for it in the incident record.
- Capture the factors used in the judgment, especially impact, scope, urgency, and recoverability.
- Name the accountable owner and any escalation point if the severity changes.
- Review the severity when new evidence changes the scope or likely impact of the incident.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [What should recovery include in a NIST SP 800-61 Rev. 3 incident response process?](/artifacts/global/nist-sp-800-61-rev-3/faq/recovery.md#what-should-recovery-include-in-a-nist-sp-800-61-rev-3-incident-response-process)

*Module: [What should recovery include in a NIST SP 800-61 Rev. 3 incident response process?](/artifacts/global/nist-sp-800-61-rev-3/faq/recovery.md)*

Recovery should include restoring affected services, validating that the incident is contained, confirming monitoring is in place, communicating status, preserving evidence, and deciding when normal operations can safely resume.

- Define when the event becomes an incident or escalation.
- Preserve records and evidence during response and recovery.
- Feed lessons learned into CSF 2.0 improvement work.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [What practical checklist should teams use for recovery under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/recovery.md#what-practical-checklist-should-teams-use-for-recovery-under-nist-sp-800-61-rev-3-incident-response)

*Module: [What should recovery include in a NIST SP 800-61 Rev. 3 incident response process?](/artifacts/global/nist-sp-800-61-rev-3/faq/recovery.md)*

Use the NIST SP 800-61 Rev. 3 decision path to make this topic review-ready: define the decision, attach source evidence, assign ownership, document gaps, and set a reassessment trigger.

- Write the decision and scope in one sentence.
- Attach the source-linked evidence that proves the current state.
- Name the accountable owner and backup reviewer.
- Record unresolved gaps, accepted risk, and dependencies.
- Set a date or event trigger for reassessment.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [Which CSIRT roles should teams define under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/csirt-roles.md#which-csirt-roles-should-teams-define-under-nist-sp-800-61-rev-3)

*Module: [Which CSIRT roles should teams define under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/csirt-roles.md)*

Define csirt roles by naming the operating role, scope, authority, evidence artifact, and source-linked requirement before using it in a live workflow.

- Leadership oversees incident response, allocates funding, and may approve high-impact response actions.
- Incident handlers verify incidents, collect and analyze data and evidence, prioritize response activities, and limit damage.
- Technology professionals, legal, public affairs and media relations, human resources, and physical security and facilities management support response and recovery as needed.
- Asset owners help set response and recovery priorities for affected assets and receive status updates.
- Third parties, such as MSSPs, cloud service providers, ISPs, business partners, and law enforcement agencies, may support incident response when the organization needs them.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

### [What evidence should support csirt roles under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/csirt-roles.md#what-evidence-should-support-csirt-roles-under-nist-sp-800-61-rev-3)

*Module: [Which CSIRT roles should teams define under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/csirt-roles.md)*

Use the NIST SP 800-61 Rev. 3 decision path to make this topic review-ready: document who is responsible, what authority each role has, what evidence proves the assignment, and when the assignment must be reviewed.

- Write the role, authority, and backup for each incident response function.
- Document which actions leadership can approve and which actions incident handlers can take directly.
- Record the external parties that may be involved, such as providers, business partners, or law enforcement.
- Capture the status-update and escalation path for asset owners and senior leadership.
- Review the assignments after major incidents or organizational changes.

Sources for this answer:

- [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Primary NIST final publication page for SP 800-61 Rev. 3.
- [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication.
- [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.

*Recommended next step*

*Placement: after the practical workflow*

## Put this NIST SP 800-61 Rev. 3 guidance into practice

Use the cited sources to turn the guidance into scoped decisions, owners, evidence requests, and review checkpoints.

- [Open Assessment Autopilot for NIST SP 800-61 Rev. 3](/solutions/assessment.md): Create source-linked tasks, evidence requests, and review checkpoints for this NIST SP 800-61 Rev. 3 scope.
- [Review this NIST SP 800-61 Rev. 3 scope with Sorena](/contact.md): Check source coverage, ownership, evidence gaps, and next steps before publishing or operationalizing the work.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/faq/items