--- title: "NIST SP 800-61 Rev. 3 Changes Guide" canonical_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/rev-3-changes" source_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/rev-3-changes" author: "Sorena AI" description: "Practical NIST SP 800-61 Rev. 3 Changes Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "NIST SP 800-61 Rev. 3" - "Rev. 3 Changes Guide" - "NIST guidance" - "implementation checklist" - "evidence" - "audit readiness" - "NIST SP 800-61" - "Incident response" - "CSF 2.0" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # NIST SP 800-61 Rev. 3 Changes Guide Practical NIST SP 800-61 Rev. 3 Changes Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. *Artifact Guide* *GLOBAL* *NIST SP 800-61 Rev. 3* ## NIST SP 800-61 Rev. 3 Rev. 3 Changes Guide Turn guidance into a standalone operating path with clear scope, accountable owners, evidence requirements, review cadence, and decision outputs. NIST SP 800-61 Rev. 3 is not just a refreshed incident-handling guide. The revision supersedes SP 800-61r2, rewrites the publication around cybersecurity risk management, and presents the content as a CSF 2.0 Community Profile for incident response and cyber risk management. ## What changed in NIST SP 800-61 Rev. 3 The biggest change is the scope. Rev. 3 moves away from a static how-to guide for detecting, analyzing, prioritizing, and handling incidents, and instead focuses on recommendations and considerations for incorporating incident response throughout cybersecurity risk management. The publication also reorganizes the material as a CSF 2.0 Community Profile, using CSF Functions, Categories, and Subcategories to organize the guidance and map incident response activities across Govern, Identify, Protect, Detect, Respond, and Recover. - Rev. 3 supersedes SP 800-61r2 (August 2012). - The document is titled "Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile". - The new structure emphasizes continuous risk management, not a one-time incident-handling workflow. Sources for this answer: - [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Shows that SP 800-61r3 is dated April 2025 and supersedes SP 800-61r2 (August 2012). - [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - Confirms the full title and April 2025 publication date for SP 800-61r3. - [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Supports the CSF 2.0 framework structure used in the revised publication. ## How Rev. 3 changes the way teams should read the guide Rev. 2 readers will notice that Rev. 3 is less about a single incident lifecycle and more about managing incident response as part of broader cyber risk management. NIST explicitly says the details of how to perform incident response change often and vary across technologies, environments, and organizations, so those details are no longer captured in one static publication. Instead, the document points readers toward the CSF 2.0 ecosystem, including the CSF website, the Incident Response project page, and the Cybersecurity and Privacy Reference Tool (CPRT) for mappings and additional implementation resources. - Use the publication as a profile and mapping aid, not as a step-by-step incident playbook. - Expect the guidance to connect incident response with governance, supply chain risk, continuous monitoring, analysis, mitigation, reporting, and recovery. - Use the linked NIST resources for implementation details instead of treating this document as the final procedural authority. Sources for this answer: - [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Explains that the publication focuses on incident response recommendations and considerations throughout cybersecurity risk management and that details are no longer maintained in a single static publication. - [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - Shows the publication points readers to the CSF 2.0 community profile approach. - [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Supports the use of CSF 2.0 resources, profiles, and online references. ## What visitors should take away from the Rev. 3 change log The revision is a complete rewrite intended to improve clarity and usability while removing outdated material and material covered in more depth elsewhere. It also shifts the focus from a narrow incident-handling model to continuous cybersecurity risk management across all six CSF Functions. For practical use, that means teams should look for the revised lifecycle model, the roles and responsibilities section, the policy and procedures guidance, and the two-part CSF Community Profile tables that separate preparation from incident response. - Look for the new CSF-based incident response lifecycle model, including the mapping from the previous four-phase model to CSF Functions. - Use the roles-and-responsibilities guidance to account for internal teams, third parties, leadership, legal, public affairs, and asset owners. - Use the CSF Community Profile tables to separate preparation and lessons learned from active response and recovery activities. Sources for this answer: - [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - States that the publication was developed as a CSF 2.0 Community Profile and includes sections on incident response as part of cybersecurity risk management and on community profile recommendations. - [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - Confirms the publication date and revised title. - [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Provides the CSF structure that the new publication uses. *Recommended next step* *Placement: after the practical workflow* ## Put this NIST SP 800-61 Rev. 3 guidance into practice Use the cited sources to turn the guidance into scoped decisions, owners, evidence requests, and review checkpoints. - [Open Assessment Autopilot for NIST SP 800-61 Rev. 3](/solutions/assessment.md): Create source-linked tasks, evidence requests, and review checkpoints for this NIST SP 800-61 Rev. 3 scope. - [Review this NIST SP 800-61 Rev. 3 scope with Sorena](/contact.md): Check source coverage, ownership, evidence gaps, and next steps before publishing or operationalizing the work. ## Primary sources - [NIST SP 800-61 Rev. 3 Incident Response](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Supports the NIST side by identifying SP 800-61 Rev. 3 as April 2025 guidance for incident preparation, detection, response, recovery, and lessons learned. - Quote: "incident response recommendations and considerations" - [NIST SP 800-61 Rev. 3 DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - DOI for the April 2025 incident response publication. - Quote: "incident detection, response, and recovery activities" - [NIST CSF 2.0 (CSWP 29)](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach. - Quote: "does not prescribe how outcomes should be achieved" ## Related Topic Guides - [How should teams handle communications under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/communications.md): How should teams handle communications under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [How should teams handle event vs. incident under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/event-vs-incident.md): How should teams handle event vs. incident under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [How should teams handle lessons learned under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/lessons-learned.md): How should teams handle lessons learned under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [How should teams handle post-incident evidence under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/post-incident-evidence.md): How should teams handle post-incident evidence under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [How should teams handle reporting clocks under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/reporting-clocks.md): How should teams handle reporting clocks under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [How should teams handle severity under NIST SP 800-61 Rev. 3 incident response?](/artifacts/global/nist-sp-800-61-rev-3/faq/severity.md): How should teams handle severity under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [NIST SP 800-61 Rev. 3 compliance playbook](/artifacts/global/nist-sp-800-61-rev-3/compliance.md): Practical NIST SP 800-61 Rev. 3 compliance playbook guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. - [NIST SP 800-61 Rev. 3 CSF 2.0 Incident Profile Guide](/artifacts/global/nist-sp-800-61-rev-3/csf-2-0-incident-profile.md): Practical NIST SP 800-61 Rev. 3 CSF 2.0 Incident Profile Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. - [NIST SP 800-61 Rev. 3 FAQ: practical implementation questions](/artifacts/global/nist-sp-800-61-rev-3/faq.md): Standalone NIST SP 800-61 Rev. 3 FAQ questions with source-linked answers, implementation checklists, and evidence guidance. - [NIST SP 800-61 Rev. 3 incident communications: stakeholder matrix and notification templates](/artifacts/global/nist-sp-800-61-rev-3/communications-and-escalation.md): Practical NIST SP 800-61 Rev. 3 Communications and Escalation Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. - [NIST SP 800-61 Rev. 3 Incident Response Playbook Template](/artifacts/global/nist-sp-800-61-rev-3/incident-response-playbook-template.md): Practical NIST SP 800-61 Rev. 3 Incident Response Playbook Template guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. - [NIST SP 800-61 Rev. 3 Post-Incident Evidence Log Workflow](/artifacts/global/nist-sp-800-61-rev-3/post-incident-evidence-log-workflow.md): A practical NIST SP 800-61 Rev. 3 Post-Incident Evidence Log Workflow with steps, owners, evidence fields, decisions, and source-linked review triggers. - [NIST SP 800-61 Rev. 3 Severity Classification and SLA Model](/artifacts/global/nist-sp-800-61-rev-3/severity-classification-and-sla-model.md): Practical NIST SP 800-61 Rev. 3 Severity Classification and SLA Model guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. - [NIST SP 800-61 Rev. 3 vs CISA playbooks: practical side-by-side comparison](/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-cisa-playbooks.md): Compare NIST SP 800-61 Rev. 3 and CISA playbooks with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows. - [NIST SP 800-61 Rev. 3 vs ISO 22301 business continuity: practical side-by-side comparison](/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-iso-22301.md): Compare NIST SP 800-61 Rev. 3 and ISO 22301 business continuity with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows. - [NIST SP 800-61 Rev. 3 vs ISO/IEC 27035: practical side-by-side comparison](/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-iso-27035.md): Compare NIST SP 800-61 Rev. 3 and ISO/IEC 27035 with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows. - [NIST SP 800-61 Rev. 3 vs NIS2 incident reporting: practical side-by-side comparison](/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-nis2.md): Compare NIST SP 800-61 Rev. 3 and NIS2 incident reporting with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows. - [NIST SP 800-61 Rev. 3: escalation decision workflow for incident communications](/artifacts/global/nist-sp-800-61-rev-3/communications-escalation-workflow.md): A practical NIST SP 800-61 Rev. 3 Communications Escalation Workflow with steps, owners, evidence fields, decisions, and source-linked review triggers. - [What should recovery include in a NIST SP 800-61 Rev. 3 incident response process?](/artifacts/global/nist-sp-800-61-rev-3/faq/recovery.md): Recovery should include restoring affected services, validating that the incident is contained, confirming monitoring is in place, communicating status, preserving evidence, and deciding when normal operations can safely resume. - [Which CSIRT roles should teams define under NIST SP 800-61 Rev. 3?](/artifacts/global/nist-sp-800-61-rev-3/faq/csirt-roles.md): Which CSIRT roles should teams define under NIST SP 800-61 Rev. 3? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/rev-3-changes