NIST SP 800-61 Rev. 3 Rev. 3 Changes Guide

Shows that SP 800-61r3 is dated April 2025 and supersedes SP 800-61r2 (August 2012).

Confirms the full title and April 2025 publication date for SP 800-61r3.

Supports the CSF 2.0 framework structure used in the revised publication.

Section 2

How Rev. 3 changes the way teams should read the guide

Rev. 2 readers will notice that Rev. 3 is less about a single incident lifecycle and more about managing incident response as part of broader cyber risk management. NIST explicitly says the details of how to perform incident response change often and vary across technologies, environments, and organizations, so those details are no longer captured in one static publication.

Instead, the document points readers toward the CSF 2.0 ecosystem, including the CSF website, the Incident Response project page, and the Cybersecurity and Privacy Reference Tool (CPRT) for mappings and additional implementation resources.

Use the publication as a profile and mapping aid, not as a step-by-step incident playbook.
Expect the guidance to connect incident response with governance, supply chain risk, continuous monitoring, analysis, mitigation, reporting, and recovery.
Use the linked NIST resources for implementation details instead of treating this document as the final procedural authority.

Sources for this answer

Explains that the publication focuses on incident response recommendations and considerations throughout cybersecurity risk management and that details are no longer maintained in a single static publication.

Shows the publication points readers to the CSF 2.0 community profile approach.

Supports the use of CSF 2.0 resources, profiles, and online references.

Section 3

What visitors should take away from the Rev. 3 change log

The revision is a complete rewrite intended to improve clarity and usability while removing outdated material and material covered in more depth elsewhere. It also shifts the focus from a narrow incident-handling model to continuous cybersecurity risk management across all six CSF Functions.

For practical use, that means teams should look for the revised lifecycle model, the roles and responsibilities section, the policy and procedures guidance, and the two-part CSF Community Profile tables that separate preparation from incident response.

Look for the new CSF-based incident response lifecycle model, including the mapping from the previous four-phase model to CSF Functions.
Use the roles-and-responsibilities guidance to account for internal teams, third parties, leadership, legal, public affairs, and asset owners.
Use the CSF Community Profile tables to separate preparation and lessons learned from active response and recovery activities.

Sources for this answer

States that the publication was developed as a CSF 2.0 Community Profile and includes sections on incident response as part of cybersecurity risk management and on community profile recommendations.

Confirms the publication date and revised title.

Provides the CSF structure that the new publication uses.

Recommended next step

Put this NIST SP 800-61 Rev. 3 guidance into practice

Use the cited sources to turn the guidance into scoped decisions, owners, evidence requests, and review checkpoints.

Assessment workflow

Open Assessment Autopilot for NIST SP 800-61 Rev. 3

Create source-linked tasks, evidence requests, and review checkpoints for this NIST SP 800-61 Rev. 3 scope.

Explore next step

Talk to Sorena

Review this NIST SP 800-61 Rev. 3 scope with Sorena

Check source coverage, ownership, evidence gaps, and next steps before publishing or operationalizing the work.

Explore next step

Primary sources

References and citations

doi.org

Referenced sections

Provides the CSF structure that the new publication uses.

"organized as Functions, Categories, and Subcategories"

doi.org

Referenced sections

Confirms the publication date and revised title.

"April 2025"