A severity model built from the risk factors NIST Rev. 3 actually names.
Designed to improve prioritization, escalation, and recovery timing decisions.
Structured answer sets in this page tree.
Cited legal and guidance references.
SP 800-61r3 says incidents should not be handled on a first-come, first-served basis. Instead, incident triage, prioritization, escalation, elevation, and decisions on when to initiate recovery should be based on risk evaluation factors. A usable severity and SLA model should therefore reflect those factors directly rather than relying on arbitrary severity labels.
NIST gives concrete examples of risk evaluation factors in RS.MA, including asset criticality, functional impact, data impact, stage of observed activity, threat actor characterization, and recoverability. Those factors are better building blocks for severity than generic medium-high labels alone.
Teams should score or describe these factors explicitly during triage so later reviewers can see why the incident received its initial priority.
Severity should drive more than acknowledgment times. It should determine who is involved, how quickly validation happens, whether recovery planning begins immediately, and how often leadership updates are provided.
A high-severity incident may still need a measured containment approach if observation is justified, but that decision should be explicit and approved.
NIST does not prescribe universal timing numbers. That is appropriate because organizations have different resources and risk tolerances. The important point is to link timing targets to the same risk evaluation factors used in prioritization.
This keeps the SLA model defensible when incidents vary widely in scope and complexity.
A severity model is only useful if it improves decisions. Review whether incidents were under-classified, over-classified, or reclassified too often, and whether recovery started too early or too late.
These measures help refine the model as threats, technology, and dependencies change.
Research Copilot can take NIST SP 800-61r3 Severity Classification and SLA Model from clarifying scope and applicability with cited answers to a reusable workflow inside Sorena. Teams working on NIST SP 800-61r3 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.
Start from NIST SP 800-61r3 Severity Classification and SLA Model and answer scope, timing, and interpretation questions with cited outputs.
Review your current process, evidence gaps, and next steps for NIST SP 800-61r3 Severity Classification and SLA Model.