RS.MA-01 Incident Management Plan Execution - NIST CSF 2.0 Checklist

RS.MA-01 requires organizations to the incident response plan is executed in coordination with relevant third parties once an incident is declared. This NIST CSF 2.0 control falls under the Respond (RS) function and the Incident Management category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: RS.MA-01
Title: Incident Management Plan Execution
Function: Respond (RS)
Category: Incident Management
Framework: NIST CSF 2.0

The incident response plan is executed in coordination with relevant third parties once an incident is declared.

The incident response plan is executed in coordination with relevant third parties once an incident is declared. The organization follows documented procedures to contain, eradicate and recover from cybersecurity incidents.

Why This Matters

Ad hoc incident response leads to evidence destruction, extended outages and incomplete containment. A tested plan ensures coordinated action that minimizes business impact and preserves forensic evidence.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of RS.MA-01.

Maintain a current incident response plan with defined roles and procedures
Activate the incident response team upon incident declaration
Follow documented containment procedures appropriate to incident type
Coordinate with legal counsel on evidence preservation and notification requirements
Engage external incident response resources when internal capacity is exceeded
Document all response actions with timestamps in an incident log

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with RS.MA-01 during an audit.

Incident response plan document with revision history
Incident response team activation records
Incident logs with timestamped response actions
Legal counsel engagement records for incident response
External incident response retainer agreements

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with RS.MA-01.

Incident response plan exists but has not been updated or tested in over a year
No external incident response retainer is in place for surge capacity
Incident response actions are not documented contemporaneously

FAQ

What does RS.MA-01 require?

RS.MA-01 (Incident Management Plan Execution) requires that the incident response plan is executed in coordination with relevant third parties once an incident is declared. The organization follows documented procedures to contain, eradicate and recover from cybersecurity incidents. This control is part of the NIST CSF 2.0 Respond function under the Incident Management category.

How do I prove compliance with RS.MA-01?

To demonstrate compliance with RS.MA-01, prepare the following evidence: Incident response plan document with revision history; Incident response team activation records; Incident logs with timestamped response actions. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment