NIST SP 800-171 Family: Incident Response

Colonial Pipeline’s ransomware attack disrupted millions of lives and brought vital infrastructure to its knees. Can your organization survive such a attack? Take action to bolster your cybersecurity defenses and protect critical services from a similar fate.

Downloadable Checklist Here

Introduction to Incident Response

Incident Response (IR), a family of controls in the NIST SP 800-171 program consists of planning and strategic objectives to protect data and information in case of security incidents involving controlled unclassified information (CUI) in a business system of employees to properly mitigate security incidents.

Below are the three IR controls which represent a focus on securing CUI. Although these controls were originally crafted to secure CUI, their implementation is a benefit to security with respect to any kind of data.

  • 3.6.1 Establish an operational incident-handling capability
  • 3.6.2 Track, document, and report incidents to designated officials and/or authorities
    3.6.3 Incident Response Handling

For an organization to stay in business, it must successfully weather setbacks and bounce back from misfortunes. One of the biggest obstacles businesses today must overcome is a security incident, especially so because organizations today heavily rely on computers for innovation, research and development, organizational management, and even marketing in their field. There is a direct relationship between a company’s incident response (IR) strategy and their means to stay afloat in adverse conditions when faced with a security incident because of this reliance on computers. The implementation of the three IR controls in the IR family of the NIST SP 800-171 program can be thought of as fortifications to strengthen a business system so it may continue to survive by utilizing a strong incident response strategy. 

The Electoral Commission (TEC), the UK election watchdog, made the mistake of not having adequate incident response measures in place and paid the price: loss of credibility. The personal data of 40 MM voters who used TEC to vote from 2014 to 2022 was exposed. Data leaked includes UK citizens’ full names, email addresses, home addresses, phone numbers, any personal images uploaded to TEC related sites, and details provided in TEC contact forms (1). Had TEC implemented 3.6.1, the IR control concerning detection and containment of an incident, the company may have seen much less data exposed during the attack. Seek incident response protocols that contrast to TEC’s poor reaction and non-existent recovery. TEC should have promptly notified organizational officials and appropriate authorities of incident details as according to the 3.6.2 control concerning notification and reporting. Such incident reporting could allow a company like TEC to mitigate damage to their reputation by responding swiftly. Ideally, the swift response after reporting should consist of 3.6.1 control-based capabilities focusing on preparation, detection, analysis, containment, recovery, and specific user protocols that were implemented ahead the incident and tested according to 3.6.3 standards. TEC’s failure to implement these controls which would have fortified the company with appropriate incident response measures not only cost them a large blow to their reputation as a responsible, vigilant, and credible company, but also may affect the confidence UK voters have in the election process regardless of the incident details.

Another large business, MGM, could have mitigated the damage from the attacks on their Okta and Azure cloud servers (2) much sooner if MGM, Okta (MGM’s identity and authentication management provider), and Microsoft Azure (MGM’s cloud service provider), had more adequate incident response measures in place at the time of the incident. Had they all reported the incident as outlined by the 3.6.2 control about incident tracking and notification, the companies may have been quicker to mitigate the situation. Not only did the failure of MGM, Microsoft Azure, and Okta to implement IR controls sour MGM’s reputation in the hospitality industry (not to mention the impact on the reputations of MGM’s various subsidiaries in other industries), Microsoft Azure’s reputation as a secure cloud provider, and Okta’s reputation as a secure identity provider, but also quicker incident mitigation and recovery may not have cost MGM a projected $100 MM (3) in potential revenue from ceasing all operations for as long as they did.

To make sure you are following the path of safety and security so your business does not end up in similar positions as MGM and TEC, take note of the items included in the checklist below.



    1. Electoral Commission hack exposed data of 40 million UK voters | TechCrunch
    2. The MGM Resorts Attack: Initial Analysis (
    3. Casino giant MGM expects $100 mln hit from hack that led to data breach | CNN Business

*If you don’t receive your checklist shortly, check your spam folder*