RS.MA-03 Incident Categorization and Prioritization - NIST CSF 2.0 Checklist

RS.MA-03 requires organizations to incidents are categorized and prioritized based on their severity, scope and potential business impact. This NIST CSF 2.0 control falls under the Respond (RS) function and the Incident Management category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: RS.MA-03
Title: Incident Categorization and Prioritization
Function: Respond (RS)
Category: Incident Management
Framework: NIST CSF 2.0

Incidents are categorized and prioritized based on their severity, scope and potential business impact.

Incidents are categorized and prioritized based on their severity, scope and potential business impact. Categorization guides the allocation of response resources and the urgency of containment actions.

Why This Matters

Without categorization, response teams cannot allocate resources effectively. A low-severity malware infection and a data exfiltration event require vastly different response urgency and resources.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of RS.MA-03.

Define incident categories aligned with common attack types
Establish a severity rating scale with clear criteria
Assign response timeframes and resource allocation by severity level
Re-evaluate incident severity as new information emerges during response
Report categorization and prioritization metrics to leadership

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with RS.MA-03 during an audit.

Incident categorization taxonomy
Severity rating scale with criteria and response timeframes
Sample incidents showing categorization and priority assignment
Incident metrics reports showing category and severity distribution

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with RS.MA-03.

All incidents are treated as the same priority regardless of impact
Severity ratings are assigned but not linked to response timeframes
Incident categories do not align with the organization's actual threat landscape

FAQ

What does RS.MA-03 require?

RS.MA-03 (Incident Categorization and Prioritization) requires that incidents are categorized and prioritized based on their severity, scope and potential business impact. Categorization guides the allocation of response resources and the urgency of containment actions. This control is part of the NIST CSF 2.0 Respond function under the Incident Management category.

How do I prove compliance with RS.MA-03?

To demonstrate compliance with RS.MA-03, prepare the following evidence: Incident categorization taxonomy; Severity rating scale with criteria and response timeframes; Sample incidents showing categorization and priority assignment. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment