📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / IR

IR-8 Incident Response Plan

Family IR
Baselines moderate
Mapped KSIs 3

Control statement

a. Develop an incident response plan that:
        1. Provides the organization with a roadmap for implementing its incident response capability;
        2. Describes the structure and organization of the incident response capability;
        3. Provides a high-level approach for how the incident response capability fits into the overall organization;
        4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
        5. Defines reportable incidents;
        6. Provides metrics for measuring the incident response capability within the organization;
        7. Defines the resources and management support needed to effectively maintain and mature an incident response capability;
        8. Addresses the sharing of incident information;
        9. Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and
        10. Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.
    b. Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};
    c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
    d. Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and
    e. Protect the incident response plan from unauthorized disclosure and modification.
        (b) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.
        (d) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-INR-01Incident Response Procedures
_Persistently_ review the effectiveness of documented incident response procedures.
Incident Response
KSI-INR-02Incident Review
_Persistently_ review past incidents for patterns or _vulnerabilities_.
Incident Response
KSI-INR-03Incident After Action Reports
Generate incident after action reports and _persistently_ incorporate lessons learned.
Incident Response