📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / IR

IR-4 Incident Handling

Family IR
Baselines moderate
Mapped KSIs 5

Control statement

a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;
    b. Coordinate incident handling activities with contingency planning activities;
    c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
    d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
        Requirement: The FISMA definition of \"incident\" shall be used: \"An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.\"
        Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-AFR-03Authorization Data Sharing
Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) process and persistently address all related requirements and recommendations.
Authorization by FedRAMP
KSI-AFR-04Vulnerability Detection and Response
Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations.
Authorization by FedRAMP
KSI-INR-01Incident Response Procedures
_Persistently_ review the effectiveness of documented incident response procedures.
Incident Response
KSI-INR-02Incident Review
_Persistently_ review past incidents for patterns or _vulnerabilities_.
Incident Response
KSI-INR-03Incident After Action Reports
Generate incident after action reports and _persistently_ incorporate lessons learned.
Incident Response