What is NIST SP 800-61?

NIST Special Publication 800-61 is the U.S. federal reference for computer security incident handling. Revision 3 (April 2025) defines the canonical six-phase incident response lifecycle: Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Activity.

When was NIST SP 800-61 Rev. 3 published?

NIST published Revision 3 on 3 April 2025. It restructures the guide around the NIST CSF 2.0 functions and updates lifecycle terminology. Earlier revisions: Rev. 2 (August 2012), Rev. 1 (March 2008).

Is NIST 800-61 mandatory?

It is required for U.S. federal civilian agencies under FISMA and OMB Circular A-130. For private organizations it is the de facto baseline cited by FedRAMP, CMMC, HITRUST, many cyber insurance applications, and state procurement requirements.

What are the six phases of NIST 800-61 Rev. 3?

Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Activity. Rev. 3 separated Containment from Eradication and Recovery, which were combined in Rev. 2.

Does NIST 800-61 require an AAR?

Yes. The Post-Incident Activity phase explicitly requires a structured review of the incident, capturing what happened, lessons learned, and recommendations for improvement. The After Action Review (or equivalent lessons learned document) is the primary deliverable.

NIST SP 800-61 - Computer Security Incident Handling Guide

NIST Special Publication 800-61 is the U.S. National Institute of Standards and Technology reference for computer security incident handling. Revision 3, published 3 April 2025, restructures the guide around the NIST Cybersecurity Framework 2.0 functions and replaces the older four-phase lifecycle with a six-phase model. NIST SP 800-61 is the de facto baseline for U.S. federal agencies and the most commonly cited IR framework worldwide.

Source: NIST SP 800-61 Rev. 3 (April 2025). Earlier revisions: Rev. 2 (August 2012), Rev. 1 (March 2008).

The Six-Phase Lifecycle

NIST SP 800-61 Rev. 2 (2012) defined four phases. Rev. 3 (2025) restructures into six aligned to the NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover):

Preparation: governance, roles, plans, tools, training, tabletop exercises
Detection and Analysis: identifying that an incident has occurred and scoping it
Containment: limiting the spread and impact of the incident
Eradication: removing the adversary's persistence and access
Recovery: restoring systems to normal operation with confidence the threat is gone
Post-Incident Activity: AAR, lessons learned, control improvements

What Changed in Rev. 3

Alignment with NIST CSF 2.0, including the new Govern function
Stronger emphasis on continuous improvement and recovery activities
Updated guidance on cloud, supply chain, and managed-service incidents
Recognition of attorney-client privilege in DFIR engagement
Expanded coverage of regulatory notification clocks

Why It Matters

NIST SP 800-61 is the framework most U.S. regulators, auditors, cyber insurers, and federal contracts reference when evaluating incident response programs. FedRAMP, FISMA, CMMC, HITRUST, and many state procurement requirements explicitly cite 800-61. Cyber insurance applications routinely ask whether the insured operates an incident response program "aligned to NIST 800-61."

Run NIST 800-61 from one platform

IR-OS encodes the NIST SP 800-61 lifecycle as workflows, with phase tracking, role assignments, and defensible records aligned to the framework.

Start free

NIST SP 800-61 - Computer Security Incident Handling Guide

The Six-Phase Lifecycle

What Changed in Rev. 3

Why It Matters

Related Terms

Run NIST 800-61 from one platform