In the unfortunate event that a breach occurs, organizations must have a plan in place to respond and recover. StateRAMP borrows requirements from FedRAMP and NIST 800-53 to define how exactly state and local governments can implement incident response into their overall security infrastructure.
Why Do Organizations Need Incident Response Plans?
Security events happen. Even with the best security measures in place, hackers can squeeze through either due to technological weaknesses or user missteps. That’s why organizations must have plans in place to address these issues.
There’s a certain level of meta-preparation here. Implementing security controls and IT measures falls under one lane of preparation while having clear policies and practices to identify and address security events as they happen is another.
Broadly speaking, there are a few steps that will serve as part of an incident response plan:
- Preparation: Preparation refers to anything and everything one does before a security incident–defining policies and procedures, outlining monitoring processes, implementing specific configurations for tools like SIEM or dashboard observation, establishing roles and responsibilities for response and decision-making, etc.
- Identification: Identifying threats involves collecting evidence, monitoring system events, and using insights and analysis to determine how these events begin and evolve.
- Containment and Mitigation: In the event of a security breach, an organization must be able to respond to it quickly and effectively. This can mean containing that threat so it doesn’t impact other adjacent systems or completely mitigating it through changes in account settings or system configurations.
- Recovery: Forensic evidence can help the organization make changes to address the event’s fallout. This may include upgrading or patching affected systems, replacing infected media, and implementing new controls to address potential vulnerabilities in the future.
Incident response plans are a critical part of any organization’s security posture, and as such, the requirements for them are part of nearly any security standard and regulation, including StateRAMP.
StateRAMP and Incident Response Controls (IR)
StateRAMP is a derivation of FedRAMP security, and as such, it pulls select controls from that standard. This context includes several controls from the Incident Response (IR) family of rules found in NIST Special Publication 800-53.
Furthermore, StateRAMP documentation designates specific Impact Levels that each control applies to Low, Low+, and Moderate, with some controls, only showing up at higher levels.
These controls include:
Incident Response Policy and Procedures (IR-1)
- Policies: The organization must have organizational-level incident response policies that cover compliance with StateRAMP systems and data processing. This plan must be disseminated to all relevant organizational stakeholders and include appropriate processes to address security and compliance requirements.
- Roles and Responsibilities: The organization must define the roles and responsibilities involved in incident response. This includes positional hierarchies, management responsibilities, and any punitive measures taken for a breach of either.
- Review: The organization must conduct regulated reviews of policies and procedures to address new threats, new technologies, and any recent security incidents.
Incident Response Training (IR-2)
Any employee that touches on system resources or data that fall under StateRAMP regulations must receive relevant incident response training. This training should apply to their position and the tasks they undertake concerning StateRAMP-regulated data.
Incident Response Testing (IR-3)
Organizations should regularly test their incident response policies and capabilities to ensure they operate as expected. This testing must include simulations, walk-throughs, checklist assessments, and other testing methods.
At StateRAMP Moderate, organizations must also include business continuity, disaster recovery, continuity of operations, contingency, crisis communication, infrastructure, and emergency plans as part of their coordination with incident response efforts.
Incident Handling (IR-4)
Organizations must demonstrate the capacity to:
- Implement incident handling processes in line with policies and procedures, including capabilities for preparation, detection/identification, analysis, containment, and recovery.
- Coordinate activities with other contingency plans.
- Utilize security incidents to inform updated incident handling reviews.
Part and parcel of this requirement is the ability of organizations to incorporate all relevant practices that go into incident response. This incorporation includes having reporting and communication in place to move information about incidents up and down the hierarchy and identify critical areas where security incidents are more likely to occur (phishing emails, API attacks, etc.).
Additionally, requirements at the Moderate Level include using automated incident handling processes to collect live response data, network packet capture, and forensic analysis.
Incident Monitoring (IR-5)
Incidents must be reported and monitored throughout their lifecycle. Organizations must track and document these incidents, communicating them to relevant response teams and stakeholders. This documentation can come from network monitoring tools, incident reports, user interactions, third-party vendors and supply chain partners, and auditing tools.
Incident Reporting (IR-6)
Simply put, this requirement states that an organization must include policies that dictate that personnel report suspected incidents within a predetermined time frame, that there is a position or role responsible for receiving these reports, and that personnel knows who this position is and how to contact that person.
At StateRAMP Moderate, organizations must also include automated reporting mechanisms like email or messaging that stem from the automated incident response capabilities details in IR 4.
Incident Response Assistance (IR-7)
The organization must integrate or create resources to support incident response handling, specifically on behalf of users. This includes options like a response help desk, ticketing, and consumer redress systems.
At StateRAMP Low+, organizations must also establish operational relationships with external providers of system protection capabilities, specifically managed security and response services.
At StateRAMP Moderate, organizations must include everything from Low+ and include the ability for users to obtain response assistance via push/pull mechanisms, like website assistance or proactive incident information sent via email.
Incident Response Plan (IR-8)
IR-8 Requires several control implementations for incident response plans. These controls include:
- Roadmap: The organization must have a roadmap demonstrating how it will implement its incident response plan.
- Structure: Response capabilities must be mapped to a structure that includes response procedure structure; an illustration of how these capabilities fit into the organizational hierarchies; a description of how IR capabilities meet the mission, function, and value proposition of the organization; and a definition of reportable incidents.
- Metrics: The organization must be able to measure the performance of IR capabilities to determine success or failure.
- Resources: Articulates the available resources that support personnel in their responsibilities within the IR plan.
- Information Sharing: Illustrate when, how, where, and for how long incident information must be shared with relevant stakeholders.
- Protection: The organization must have security to protect incident response information from unauthorized disclosure.
Furthermore, the organization must distribute copies of the plan to those responsible for the practices defined therein, update the plan in response to changes in technology or vulnerabilities, and communicate those changes to those enacting the plan.
Incident Spillage Response (IR-9)
Information spillage is the problem of protected data “spilling over” into unauthorized systems where StateRAMP policies don’t protect them. At a bare minimum, rapid corrective action must be taken to correct the issue and sanitize any system or media where the information was found. This corrective action includes identifying contaminated systems, quarantining them, completely eradicating traces of unauthorized information, and auditing systems to ensure that none of the problematic information remains.
This requirement is only expected at StateRAMP Low+ and Moderate levels.
Additionally, StateRAMP Moderate also requires that organizations provide training for spillage response, implement procedures to ensure that personnel using contaminated systems can continue in their tasks during decontamination, and provide information about laws, orders, policies, regulations, and standards related to their exposure to contaminated systems.
Monitor Personnel Security Controls with Continuum GRC
To protect your critical assets, you should always take personnel security seriously–if not for compliance. With the Continuum GRC Platform, you can identify, monitor, and maintain your PS controls in real-time while managing StateRAMP compliance.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.