RS.CO-02 Incident Reporting - NIST CSF 2.0 Checklist

RS.CO-02 requires organizations to internal and external stakeholders are notified of incidents in accordance with laws, regulations and organizational policies. This NIST CSF 2.0 control falls under the Respond (RS) function and the Incident Response Reporting and Communication category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: RS.CO-02
Title: Incident Reporting
Function: Respond (RS)
Category: Incident Response Reporting and Communication
Framework: NIST CSF 2.0

Internal and external stakeholders are notified of incidents in accordance with laws, regulations and organizational policies.

Internal and external stakeholders are notified of incidents in accordance with laws, regulations and organizational policies. Timely and accurate incident reporting fulfills legal obligations and maintains stakeholder trust.

Why This Matters

Regulatory notification requirements carry strict deadlines. Failure to report within required timeframes results in fines, legal liability and reputational damage beyond the incident itself.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of RS.CO-02.

Identify all applicable incident notification requirements by jurisdiction
Define internal communication procedures for different incident severities
Prepare notification templates for regulators, customers and partners
Establish a process to determine if an incident triggers mandatory reporting
Track notification deadlines and ensure compliance with required timeframes
Brief public relations and executive leadership before external communications

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with RS.CO-02 during an audit.

Regulatory notification requirement matrix by jurisdiction
Internal incident communication procedures
Notification templates for various stakeholder types
Notification tracking log showing compliance with deadlines
Executive briefing records for incidents requiring external communication

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with RS.CO-02.

Notification requirements across jurisdictions have not been cataloged
No pre-approved notification templates exist so each incident starts from scratch
Legal team is engaged too late in the response process to meet notification deadlines

FAQ

What does RS.CO-02 require?

RS.CO-02 (Incident Reporting) requires that internal and external stakeholders are notified of incidents in accordance with laws, regulations and organizational policies. Timely and accurate incident reporting fulfills legal obligations and maintains stakeholder trust. This control is part of the NIST CSF 2.0 Respond function under the Incident Response Reporting and Communication category.

How do I prove compliance with RS.CO-02?

To demonstrate compliance with RS.CO-02, prepare the following evidence: Regulatory notification requirement matrix by jurisdiction; Internal incident communication procedures; Notification templates for various stakeholder types. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment