NIST 800-171 R-3.6.1
Establish an Incident-Handling Capability
Official citation: 3.6.1
Class: core · Severity: critical
Statement of the obligation — verify against source
3.6.1
What it means
Build an operational incident-handling capability covering preparation, detection, analysis, containment, recovery, and user-response activities. Draw incident information from audit and network monitoring, physical-access monitoring, user and administrator reports, and supply-chain events, and coordinate across mission owners, system owners, HR, legal, security, operations, and procurement. Provide incident-response training matched to each role, and offer user assistance such as help-desk support and access to forensics.
Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.