Skip to content
Log in

NIST SP 800-61

Definition

The US National Institute of Standards and Technology's Computer Security Incident Handling Guide. It defines a four-phase IR lifecycle: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. The current version is Revision 3 (2024).

Related terms

After-Action Report (AAR)
The formal document produced during Lessons Learned that records the incident timeline, decisions made, outcomes, and recommended improvements. The AAR drives updates...
Containment strategy
A deliberate decision about how to limit an incident's spread, balancing the need to stop harm immediately against the risk of alerting...
CREST
A UK-based not-for-profit professional body that publishes practitioner-focused incident response guidelines and operates accreditation schemes for IR service providers. CREST guidance emphasises...
Eradication
The phase in which the root cause of an incident is removed from the environment: deleting malware, patching exploited vulnerabilities, revoking compromised...
Framework blending
The practice of combining elements of multiple IR frameworks: for example, using NIST as the strategic backbone, SANS phase names in operational...
Incident declaration
The formal decision, made during the Identification stage, that a detected event meets the organisation's criteria for a security incident. Declaration triggers...
ISO/IEC 27035
An international standard for information security incident management. Part 1 covers principles and concepts; Part 2 covers planning and preparation. It defines...
Phase granularity
The number and specificity of discrete steps a framework defines within the IR lifecycle. Higher granularity, as in SANS PICERL's six steps...
PICERL
Acronym for the six SANS IR stages: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. The model is cyclical: the final stage...
SANS PICERL
A six-step incident response model developed through SANS Institute training: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. PICERL breaks NIST's combined response...

Explained in these topics

  • Comparing Incident Response FrameworksThe Computer Security Incident Handling Guide published by the US National Institute of Standards and Technology. It defines a four-phase IR lifecycle and is t...
  • The SANS PICERL ModelThe US National Institute of Standards and Technology's Computer Security Incident Handling Guide. It defines a four-phase IR lifecycle: Preparation; Detection...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account