| Scope and covered activity | SP 800-61 Rev. 3 is NIST incident-response guidance for incorporating incident-response recommendations into cybersecurity risk management. Use it to define program scope, owners, evidence, and response practices before mapping operational playbooks. | CISA playbooks provide operational federal incident and vulnerability response playbook detail. Use CISA playbooks to define the separate assurance, certification, legal, contractual, or operating lens before claiming equivalence. | For scope, write separate acceptance criteria for NIST SP 800-61 Rev. 3 and CISA playbooks; reuse evidence only where it proves both claims without changing the meaning. |
|---|
| Who must act | Assign NIST SP 800-61 Rev. 3 work to the owner who can approve the scoped risk, control, software, supplier, incident, or governance decision and provide evidence. | Assign CISA playbooks work to the owner who controls that program, contract, certification, legal obligation, or operational procedure. | A shared team can support both sides, but the accountable owner should be named separately for NIST SP 800-61 Rev. 3 and CISA playbooks. |
|---|
| Trigger or threshold | NIST SP 800-61 Rev. 3: use this side when analyzed adverse events meet the defined incident criteria and an incident should be declared. | CISA playbooks are activated when an FCEB incident involves confirmed malicious cyber activity or a major incident cannot be ruled out, or when an exploited vulnerability requires coordinated response. | Record the trigger facts in plain language so product, legal, security, privacy, sustainability, and procurement teams know when the comparison must be rerun. |
|---|
| Core obligations | Use NIST SP 800-61 Rev. 3 to organize preparation, detection, response, recovery, communications, and lessons-learned improvements across the incident-response program. | Use CISA playbooks to follow operational procedures and checklists for identifying, coordinating, remediating, recovering, and tracking incidents and exploited vulnerabilities in FCEB environments. | Turn the comparison into an action list with separate duties, shared controls, and unresolved gaps, then cite the source that supports each reused artifact. |
|---|
| Evidence and records | NIST SP 800-61 Rev. 3: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | CISA playbooks: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep a traceable evidence matrix: source, claim, owner, artifact, review date, and whether the evidence satisfies NIST SP 800-61 Rev. 3, CISA playbooks, or both. |
|---|
| Timing and cadence | NIST SP 800-61 Rev. 3: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls this side. | CISA playbooks: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream. | Use separate clocks for each side and surface the earliest decision date, longest retention or review duty, and any transition period that changes implementation sequencing. |
|---|
| Enforcement or assurance route | NIST SP 800-61 Rev. 3: identify the competent authority, regulator, assessor, customer audit, certification body, contractual remedy, penalty, or supervisory process tied to this side. | CISA playbooks: identify the comparator enforcement or assurance route and record where supervision, penalties, market access, certification, or contract leverage differs. | Escalate when enforcement routes differ because a regulator, market-surveillance authority, certification body, customer, or contract counterparty may require different proof. |
|---|
| Overlap and reuse | NIST SP 800-61 Rev. 3: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | CISA playbooks can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Reuse evidence carefully: overlap can reduce duplicated work, but it does not merge scope, actors, deadlines, penalties, or public-facing wording. |
|---|
| Practical decision rule | Choose NIST SP 800-61 Rev. 3 as the primary lens when the question is about the NIST SP 800-61 Rev. 3 scope, terminology, evidence, and audience. | Choose CISA playbooks as the primary lens when the question is about the CISA playbooks scope, terminology, evidence, and audience. | When both apply, write one decision record with two source-linked claims instead of forcing one framework to stand in for the other. |
|---|