RC.CO-03 Recovery Communication - NIST CSF 2.0 Checklist

RC.CO-03 requires organizations to recovery activities and progress are communicated to designated internal and external stakeholders. This NIST CSF 2.0 control falls under the Recover (RC) function and the Recovery Communication category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: RC.CO-03
Title: Recovery Communication
Function: Recover (RC)
Category: Recovery Communication
Framework: NIST CSF 2.0

Recovery activities and progress are communicated to designated internal and external stakeholders.

Recovery activities and progress are communicated to designated internal and external stakeholders. Communication includes restoration status, residual risks and any operational changes resulting from the incident.

Why This Matters

Stakeholders depend on accurate recovery information to make business decisions. Without structured communication, customers may lose confidence and regulators may question the organization's competence.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of RC.CO-03.

Develop a recovery communication plan as part of the incident response plan
Identify all stakeholders requiring recovery updates including regulators and customers
Provide factual status updates without speculation about root cause before analysis is complete
Coordinate public statements with legal counsel
Archive all recovery communications for regulatory and legal reference

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with RC.CO-03 during an audit.

Recovery communication plan document
Stakeholder notification list for recovery updates
Archived recovery status communications
Legal review records for public recovery statements

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with RC.CO-03.

Recovery communications are ad hoc with no pre-defined plan or stakeholder list
Public statements about recovery are made without legal review
Recovery communications are not archived for future reference

FAQ

What does RC.CO-03 require?

RC.CO-03 (Recovery Communication) requires that recovery activities and progress are communicated to designated internal and external stakeholders. Communication includes restoration status, residual risks and any operational changes resulting from the incident. This control is part of the NIST CSF 2.0 Recover function under the Recovery Communication category.

How do I prove compliance with RC.CO-03?

To demonstrate compliance with RC.CO-03, prepare the following evidence: Recovery communication plan document; Stakeholder notification list for recovery updates; Archived recovery status communications. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment