Last April (2025) the (US) NIST updated its 800-61 series documentation to Revision 3 which established new standards for CIRPs.
My previous posts regarding the NIST 800-61r3 changes focused on “The NIST [800-61] Revision 3 integrating incident response into broader cybersecurity risk management, emphasizing a strategic, ongoing, and business-aligned approach rather than a standalone technical lifecycle.”
This new NIST guidance ALSO lists 3 components under the heading of “Incident Response”: DETECT, Respond, and Recover.
The 800-61 r3, starting at Section 3.2 on page 23 requires detailed “DETECT” narratives which include:
“Anomalies” & “deviations from expected activity”
“Indicators of Compromise”
“Other potentially adverse events”
Detailed assignments/narratives for:
“Networks & network services”
“Physical environment”
“Personnel activity & technology usage”
“External Service Provider”
“Computing hardware and software, runtime environments, and their data”
“Information is correlated from multiple sources”
While the CIRPs I wrote over the last decade contained a narrative regarding “Indicators of Compromise (IOC)”, and a “bridge” or “transition” narrative from the detective controls (e.g. alerts) to the CIRP (i.e. “Thresholds”), this new requirement seems far more detailed. I interpret this as an edict from the government that you now need to have these detective controls listed somewhere in your CIRP (or at least referenced by the CIRP). This is all starting to look like the ISOC procedures / runbooks / SIEM workflows & correlation logic that I did at my previous job managing an ISOC. How much of this narrative is expected to be in the CIRP is unknown to me. But I would recommend that you have this information documented somewhere and at a minimum, referenced by the CIRP.
If you have one of those “standalone technical lifecycle” CIRPs that proliferate the industry, I can help you.