Incident response is a critical function in any security program. It defines steps to take before, during, and after an incident occurs. CTInfoSec considers this a key policy to have and urges organizations to develop a strong plan with multiple playbooks to handle appropriate threats.
Traditionally, an incident response lifecycle encompasses a standard set of steps: preparation, detection, containment and recovery, and post-incident actions. This model, supported by many in the industry including policy creators such as NIST, was based on a different threat paradigm—one where incidents were confined with limited boundaries or ancillary considerations. Today, threats have evolved into multi-front incidents that require a different approach to response and management.
In 2024, NIST released an update to SP 800-61 for incident handling, which moved into Final status in April 2025. The new guidance changes the previous life cycle to better align with the CSF 2.0 functions. The driving idea is that by using the six functions, organizations will be better positioned to prevent and handle new incidents, reduce impacts, and quickly leverage lessons learned before, during, and after an incident.
The new design can be split into distinct phases: preparation, lessons learned, and incident response. Although this approach appears new, it largely retains the same functionality. The intent is to consistently improve and not wait until the postmortem to discover lessons learned. This is evident by examining the cross walk of functions to the previous lifecycle as seen below.
Incident response life cycle model based on CSF 2.0 Functions
Here it is clear that identification of risk and improvements are leveraged throughout the incident response life cycle. This is an important distinction, as post-mortems were previously the primary resource for insights. The reason behind this is that as insights are gained, they should be immediately shared to better inform the response going forward.
Other areas such as governance are newer to incident response in some ways but have existed within the CSF for some time. Governance can require significant administrative overhead and coordination. It is often seen as less important than the actual implementation of solutions, so it comes later. However, governance and policies should drive decision-making. Establishing rules and guidance upfront enables clear and aligned choices later.
The other functions will be familiar to most organizations leveraging a traditional lifecycle for management. The totality of control elements should be reviewed, and if possible, companies can self-assess their preparedness using the Community Profile, which sets priority for each element.
CTInfoSec has had good success in migrating organizations to this reference model, which we believe presents an improvement over earlier, more isolated and static response plans. By getting ahead of issues through identifying risks, lessons learned, and incorporating strong governance, incident response procedures can be greatly improved.
Looking to shift to this new model or need assistance with your incident response plan? We are here to help, contact us now.
Images credit by NIST. NIST. 2025. “NIST Cybersecurity Framework.”
https://www.nist.gov/cyberframework. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf