RS.MI-01 Incident Containment - NIST CSF 2.0 Checklist

RS.MI-01 requires organizations to incidents are contained to prevent further damage. This NIST CSF 2.0 control falls under the Respond (RS) function and the Incident Mitigation category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: RS.MI-01
Title: Incident Containment
Function: Respond (RS)
Category: Incident Mitigation
Framework: NIST CSF 2.0

Incidents are contained to prevent further damage.

Incidents are contained to prevent further damage. Containment actions isolate affected systems and prevent the adversary from expanding their foothold while preserving evidence for forensic analysis.

Why This Matters

Every minute without containment allows attackers to exfiltrate more data, move laterally and establish persistence. Rapid containment is the single most impactful action in reducing breach damage.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of RS.MI-01.

Define containment strategies for common incident types
Implement network isolation capabilities for rapid host containment
Preserve forensic evidence before performing destructive containment actions
Coordinate containment timing to maximize evidence collection
Verify containment effectiveness by monitoring for continued adversary activity
Document all containment actions with business impact assessment

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with RS.MI-01 during an audit.

Containment strategy documentation by incident type
Network isolation capability documentation and test results
Forensic evidence preservation procedures
Containment action logs with timestamps and effectiveness verification
Business impact assessments for containment actions taken

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with RS.MI-01.

Containment strategy is always to reimage the system, destroying forensic evidence
No network isolation capability exists for rapid host quarantine
Containment actions are taken without assessing or documenting business impact

FAQ

What does RS.MI-01 require?

RS.MI-01 (Incident Containment) requires that incidents are contained to prevent further damage. Containment actions isolate affected systems and prevent the adversary from expanding their foothold while preserving evidence for forensic analysis. This control is part of the NIST CSF 2.0 Respond function under the Incident Mitigation category.

How do I prove compliance with RS.MI-01?

To demonstrate compliance with RS.MI-01, prepare the following evidence: Containment strategy documentation by incident type; Network isolation capability documentation and test results; Forensic evidence preservation procedures. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment