During the Biden administration, there was a push to prioritize and modernize cybersecurity responses, and the National Institute of Standards and Technology (NIST) agreed to work with the technology industry to develop a new cybersecurity framework. Now, those promises have come to fruition as NIST has provided updated industry-leading guidance in the cybersecurity field.
In February 2024, NIST released updated guidance to its Cybersecurity Framework (CSF 2.0). The goal of CSF 2.0 is to set forth a high-level taxonomy of cybersecurity risks and how organizations can improve its cybersecurity programs, its responses to cyber-attacks, and its post-attack outcomes. NIST’s newest guidance, Incident Response Recommendations and Considerations for Cybersecurity Risk Management, was released in April 2025 and drills down the general guidance in CSF 2.0 into more specific action items for companies to undertake to improve their cybersecurity response.
Understanding the Incident Response Life Cycle
The latest guidance sets forth six principles for companies to consider when planning for incident response to ensure efficient programs are identified, in place, and ready to respond to cyber threats. NIST defines the principles as follows:
- Govern: Establish, communicate, and monitor the organization’s cybersecurity risk management strategy, expectations, and policy.
- Identify: Identify and manage assets, vulnerabilities, and risks that could lead to cybersecurity incidents.
- Protect: Implement safeguards that protect assets and data to manage the organization's cybersecurity risks.
- Detect: Proactively find and analyze possible cybersecurity attacks and compromises.
- Respond: Manage, prioritize, contain and eradicate incidents, while simultaneously reporting and communicating the incidents to the appropriate parties.
- Recover: Restore assets and operations affected by a cybersecurity incident.
Taken together, these six steps are intended to emphasize continuous improvement for organizations’ cybersecurity protocols to ensure they can adapt and enhance their incident response and cybersecurity risk management practices as threats evolve and change.
Defining Roles and Responsibilities for Incident Response Management
The NIST report emphasizes that cybersecurity response teams need to be broader than they were in the past. Previously, NIST recommended and supported the “incident handler” model, wherein there existed a dedicated team in the company to manage and respond to cybersecurity threats. Given the complexity of cyber systems and the threats they face, NIST recommends expanding the scope of employees in a company-involved cybersecurity incident response process to include, for example, company leadership, legal teams, technology professionals, public relations teams, and human resources. NIST also recommends a “shared responsibility” model for the incident handler team, in which cybersecurity operations are partially or wholly outsourced to well-resourced, dedicated third parties with their responsibilities clearly delineated in contract. NIST believes that these steps will help companies address and resolve cybersecurity incidents more efficiently, thereby better protecting their data and assets.
Rewriting Incident Response Policies, Processes and Procedures, and Using Playbooks
The NIST report outlines the essential components and recommendations for companies to consider when establishing effective incident response policies, processes, and procedures within an organization. For incident response policies, NIST recommends the policy include key elements such as a statement of management commitment, the purpose and objectives of the policy, the scope of the policy, definitions of events and incidents, roles and responsibilities, guidelines for prioritizing incidents, and performance measures.
Processes and procedures should be tied into these policies and should document the technical and operational know-how necessary to respond to cybersecurity incidents, especially for the most common types of incidents and threats. NIST recommends companies consider formatting these procedures into a playbook, such as the Cybersecurity Infrastructure Security Agency’s Cybersecurity Incident and Vulnerability Response playbook, to document their processes and procedures for easy reproducibility and consistency across the organization.
The NIST report ends with an example template that companies can use to help implement NIST’s recommendations and adapt their cybersecurity practices to CSF 2.0.
Our team at Morgan Lewis is well suited to help companies review compliance programs and retool cybersecurity responses, including designing new policies to help navigate this evolving and challenging cyber threat landscape.