---
title: "NIST SP 800-61r3 Severity Classification and SLA Model"
canonical_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/severity-classification-and-sla-model"
source_url: "https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/severity-classification-and-sla-model"
author: "Sorena AI"
description: "Grounded severity and SLA model for NIST SP 800-61r3 using NIST risk evaluation factors such as asset criticality, impact, scope, threat behavior."
published_at: "2026-03-04"
updated_at: "2026-03-04"
keywords:
  - "NIST SP 800-61r3 severity model"
  - "risk evaluation factors"
  - "asset criticality"
  - "recoverability"
  - "incident triage"
  - "response SLA"
  - "recovery initiation criteria"
  - "GLOBAL compliance"
  - "NIST SP 800-61r3"
  - "Severity model"
  - "Incident SLA"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# NIST SP 800-61r3 Severity Classification and SLA Model

Grounded severity and SLA model for NIST SP 800-61r3 using NIST risk evaluation factors such as asset criticality, impact, scope, threat behavior.

*Prioritization* *GLOBAL*

## NIST SP 800-61r3 Severity Classification and SLA Model

A severity model built from the risk factors NIST Rev. 3 actually names.

Designed to improve prioritization, escalation, and recovery timing decisions.

SP 800-61r3 says incidents should not be handled on a first-come, first-served basis. Instead, incident triage, prioritization, escalation, elevation, and decisions on when to initiate recovery should be based on risk evaluation factors. A usable severity and SLA model should therefore reflect those factors directly rather than relying on arbitrary severity labels.

## Base severity on the Rev. 3 risk evaluation factors

NIST gives concrete examples of risk evaluation factors in RS.MA, including asset criticality, functional impact, data impact, stage of observed activity, threat actor characterization, and recoverability. Those factors are better building blocks for severity than generic medium-high labels alone.

Teams should score or describe these factors explicitly during triage so later reviewers can see why the incident received its initial priority.

- Asset criticality and mission importance
- Functional impact and operational disruption
- Data impact, including sensitivity and likely exposure
- Stage of activity, threat behavior, and recoverability

## Map severity to response, escalation, and recovery decisions

Severity should drive more than acknowledgment times. It should determine who is involved, how quickly validation happens, whether recovery planning begins immediately, and how often leadership updates are provided.

A high-severity incident may still need a measured containment approach if observation is justified, but that decision should be explicit and approved.

- Critical: immediate incident lead assignment, rapid validation, containment, and leadership coordination
- High: accelerated triage, cross-team involvement, and defined legal or privacy review windows
- Medium: scheduled response with monitored status and explicit reassessment triggers
- Low: monitored handling with escalation if impact, scope, or evidence quality changes

## Use SLAs as internal operating targets, not as substitutes for judgment

NIST does not prescribe universal timing numbers. That is appropriate because organizations have different resources and risk tolerances. The important point is to link timing targets to the same risk evaluation factors used in prioritization.

This keeps the SLA model defensible when incidents vary widely in scope and complexity.

- Set response targets for validation, containment start, recovery decision, and stakeholder update cadence
- Allow justified overrides when new evidence changes magnitude or recoverability
- Require documented rationale for severity changes and missed targets

## Measure severity quality, not just speed

A severity model is only useful if it improves decisions. Review whether incidents were under-classified, over-classified, or reclassified too often, and whether recovery started too early or too late.

These measures help refine the model as threats, technology, and dependencies change.

- Track reclassification rates and reasons
- Track SLA attainment by severity tier
- Track whether magnitude estimates were later proven too low or too high
- Track whether lessons learned changed scoring criteria or recovery thresholds

*Recommended next step*

*Placement: after the scope or definition section*

## Use NIST SP 800-61r3 Severity Classification and SLA Model as a cited research workflow

Research Copilot can take NIST SP 800-61r3 Severity Classification and SLA Model from clarifying scope and applicability with cited answers to a reusable workflow inside Sorena. Teams working on NIST SP 800-61r3 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for NIST SP 800-61r3 Severity Classification and SLA Model](/solutions/research-copilot.md): Start from NIST SP 800-61r3 Severity Classification and SLA Model and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through NIST SP 800-61r3](/contact.md): Review your current process, evidence gaps, and next steps for NIST SP 800-61r3 Severity Classification and SLA Model.

## Primary sources

- [NIST SP 800-61r3 - DOI](https://doi.org/10.6028/NIST.SP.800-61r3?ref=sorena.io) - Primary source for incident triage, prioritization, and response management considerations.
- [NIST SP 800-61r3 publication page](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - Official publication details and additional resources.
- [NIST CSF 2.0 (CSWP 29) - DOI](https://doi.org/10.6028/NIST.CSWP.29?ref=sorena.io) - Framework context for outcomes used in incident response prioritization.

## Related Topic Guides

- [NIST SP 800-61r3 Compliance Playbook | CSF 2.0 Incident Response](/artifacts/global/nist-sp-800-61-rev-3/compliance.md): Grounded incident-response playbook for NIST SP 800-61r3 covering the CSF 2.0 community-profile model, roles, risk-based incident management, communications.
- [NIST SP 800-61r3 FAQ | Practical Incident Response Questions](/artifacts/global/nist-sp-800-61-rev-3/faq.md): Practical FAQ on NIST SP 800-61r3 covering what changed from r2, incident declaration, risk evaluation factors, containment versus observation.
- [NIST SP 800-61r3 Incident Response Playbook Template](/artifacts/global/nist-sp-800-61-rev-3/incident-response-playbook-template.md): Grounded incident-response playbook template based on NIST SP 800-61r3 with incident criteria, incident lead, risk evaluation factors, communications tracks.
- [NIST SP 800-61r3 vs ISO 27035 | Incident Response Comparison](/artifacts/global/nist-sp-800-61-rev-3/nist-800-61-vs-iso-27035.md): Grounded comparison of NIST SP 800-61r3 and ISO 27035 covering the CSF 2.0 community-profile model, management-process structure, communications, recovery.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/nist-sp-800-61-rev-3/severity-classification-and-sla-model