Cyber Incident Response Plan (CIRP): NIST SP 800-34 Guide A Cyber Incident Response Plan (CIRP) is a pre-authorized, documented process that tells an organization exactly how to detect, contain, and recover from a cybersecurity incident — before one happens.

Boards, executive teams, and regulated organizations in financial services, healthcare, and retail frequently reference a CIRP as a compliance requirement. Few interrogate whether the plan would actually hold up under real incident conditions. That gap is where organizations get hurt.

This article explains what a CIRP is, how NIST SP 800-34 Rev. 1 frames it within a broader contingency planning system, how it works operationally, and what separates a plan that holds from one that collapses the moment pressure hits.

TL;DR

  • A CIRP is one of eight plan types explicitly named in NIST SP 800-34 — distinct from a general incident response policy or a disaster recovery plan
  • NIST SP 800-34 positions the CIRP within a seven-step contingency planning process that starts with policy and requires regular testing and maintenance
  • The four operational phases map directly to the NIST SP 800-61 incident handling lifecycle, from preparation through post-incident activity
  • Most CIRPs fail because decision rights, escalation thresholds, and communication authority were never formally established — not because of missing technical steps

What Is a Cyber Incident Response Plan (CIRP)?

A CIRP is a documented, pre-authorized set of procedures that governs how an organization detects, responds to, contains, and recovers from cybersecurity incidents. Per NIST SP 800-34, it enables security personnel to identify, mitigate, and recover from malicious incidents — including unauthorized access, denial of service, and unauthorized changes to hardware, software, or data.

That distinction matters. A CIRP is not a general security policy, and it is not a disaster recovery plan — it is a specific operational document that activates when an active cyber threat hits your information systems.

What a CIRP Is Designed to Deliver

When it activates, a well-built CIRP produces measurable outcomes:

  • Reduced dwell time — organizations that detect intrusions internally cut median dwell time from 11 days to 5, per Mandiant's M-Trends 2025 report
  • Clear escalation paths — responders know who decides, who communicates, and who has authority to act
  • Faster containment — pre-defined severity tiers remove ambiguity about how aggressively to respond
  • Minimized reputational and operational damage — documented communication protocols prevent improvised messaging under pressure

How a CIRP Differs from Related Plans

NIST SP 800-34 names eight coordinated contingency plan types. Confusing them is a governance mistake:

Plan Trigger Scope
CIRP Active cyber attack or malicious incident Information systems under active threat
ISCP System recovery regardless of cause or site Individual information system restoration
BCP Operational disruption Mission-critical processes, not just systems
DRP Major physical disruption requiring relocation Infrastructure restoration at alternate sites

These plans coordinate — a CIRP may activate an ISCP or DRP depending on attack severity — but they serve different triggers and must not be conflated.

How NIST SP 800-34 Positions the CIRP Within Contingency Planning

NIST SP 800-34 Rev. 1 (Contingency Planning Guide for Federal Information Systems) names the CIRP as one of eight coordinated plan types in an organization's contingency planning ecosystem — not an afterthought, not a standalone document. It also references NIST SP 800-61 for detailed incident handling guidance, creating a two-layer architecture where governance and operations each have a defined home.

The Seven-Step Governance Framework

NIST SP 800-34 provides a seven-step process that gives a CIRP its governance structure:

  1. Develop the contingency planning policy statement — defines organizational authority and assigns roles
  2. Conduct the Business Impact Analysis (BIA) — identifies critical systems and sets downtime thresholds
  3. Identify preventive controls — reduces incident likelihood and impact
  4. Create contingency strategies — establishes response and recovery approaches
  5. Develop the plan — documents procedures, roles, and communication protocols
  6. Ensure plan testing, training, and exercises — validates the plan works before an incident
  7. Ensure plan maintenance — keeps the plan current after changes

NIST SP 800-34 seven-step contingency planning governance process flow infographic

Most organizations rush or skip Steps 1, 2, and 7. The result is a CIRP built without board-level policy authority, disconnected from actual system priorities, and never updated after personnel or infrastructure changes.

Why the BIA Is the CIRP's Foundation

The BIA converts organizational priorities into response sequencing. Without one, recovery decisions during a live incident default to whoever is loudest in the room rather than to pre-authorized policy.

NIST SP 800-34 defines two specific metrics the BIA must produce for each critical system:

  • Maximum Tolerable Downtime (MTD) — the total outage duration an organization can accept before unacceptable mission impact occurs
  • Recovery Time Objective (RTO) — the maximum time a system resource can remain unavailable; the RTO should normally be shorter than the MTD

Organizations that skip the BIA often discover this gap at the worst possible moment: mid-incident, when there is no time to build consensus from scratch.

SP 800-34 vs. SP 800-61: Two Layers, Not One

The relationship between these two standards is a common source of confusion:

  • NIST SP 800-34 sets the governance and coordination framework — policy, organizational authority, plan types, testing requirements, and maintenance cadence
  • NIST SP 800-61 (now at Rev. 3 as of April 2025) provides the detailed operational procedures for incident handling — the step-by-step lifecycle responders follow during an active event

Organizations need both layers. SP 800-34 without SP 800-61 gives you governance without operational guidance. SP 800-61 without SP 800-34 gives you a technical playbook that responders may not have the authority — or the prioritization — to execute under pressure.

On applicability: while SP 800-34 was developed for federal information systems under FISMA authority, NIST states it "may be used by nongovernmental organizations on a voluntary basis" — the governance principles transfer cleanly to private sector organizations in regulated industries, even without the federal mandate.

How a CIRP Works: Phases and Process Flow

A CIRP is not a linear checklist. It activates when a potential incident is detected, triggers a defined notification chain, moves through structured phases, and closes with a post-incident review that feeds back into preparedness. The cycle then repeats.

The four-phase lifecycle below mirrors the NIST SP 800-61 Rev. 2 incident handling framework, which SP 800-34 is explicitly designed to align with.

Phase 1 — Preparation

Everything that must exist before an incident occurs:

  • Defined incident response team roles with named alternates and documented authority
  • System inventories and baseline monitoring configurations
  • Incident severity classification criteria with pre-defined impact tiers
  • Pre-approved communication templates for internal stakeholders, customers, and regulators
  • Established retainer relationships with outside legal counsel, forensics firms, and law enforcement contacts
  • A functional call tree that works after business hours

Preparation is not a one-time setup task. It requires ongoing maintenance as systems, personnel, and threats change.

Phase 2 — Detection and Analysis

The CIRP directs the team to:

  1. Collect and correlate signals from logs, alerts, and threat intelligence feeds
  2. Determine whether a genuine incident has occurred versus a false positive
  3. Assess scope and severity using the pre-defined impact tiers from Phase 1
  4. Formally declare the incident — triggering the escalation chain, legal notifications, and the rest of the plan

SP 800-61 classifies incidents by functional impact (None, Low, Medium, High) and information impact (None, Privacy Breach, Proprietary Breach, Integrity Loss). Without pre-defined tiers, incident declaration becomes subjective, and escalation decisions get made too late.

Phase 3 — Containment, Eradication, and Recovery

Containment strategy depends directly on the severity tier established in Phase 2:

  • Short-term containment isolates affected systems immediately to stop spread
  • Longer-term remediation addresses root cause without premature restoration
  • Eradication removes the threat from every affected system, not just the obvious entry point
  • Recovery restores normal operations with validation steps before systems return to production

CIRP four-phase incident response lifecycle from containment to recovery steps

Recovery sequencing must follow Business Impact Analysis (BIA)-derived system priorities. Restoring the wrong systems first — because they're technically easier, not because they're operationally critical — is a common and costly mistake.

Phase 4 — Post-Incident Activity

Both NIST SP 800-34 and SP 800-61 require a structured after-action review. Skipping it breaks the feedback loop that keeps the plan current.

The review must document:

  • What happened, including timeline and root cause
  • What worked in the response and what failed
  • Dated remediation actions with named owners and target completion dates

This output feeds directly into Step 7 of the SP 800-34 process — plan maintenance. The review's action items become the revision agenda: updated roles, revised impact tiers, corrected runbooks, or new escalation thresholds. If the after-action produces no plan changes, the review accomplished documentation without improvement.

Why Governance and Executive Ownership Determine CIRP Effectiveness

Technical completeness is not what makes a CIRP work. Decision rights are.

Most CIRPs are built by technical teams and never socialized upward. The result: no pre-established authority for containment decisions that affect operations, no board escalation thresholds, and no clarity on who can authorize taking a revenue-generating system offline. When an incident hits, those decisions get made under pressure by whoever is in the room.

What NIST SP 800-34 Requires at the Governance Level

The standard requires a formal contingency planning policy statement that:

  • Defines organizational authority for contingency planning decisions
  • Assigns roles and responsibilities across executive and technical levels
  • Establishes a review and approval schedule

This is a governance task, not a technical one. It belongs to the board and C-suite, not to the security team.

The Board's Specific Obligations

In advisory work with boards across financial services, healthcare, and retail, the governance gaps that appear most consistently are not technical — they are authority gaps. Who can declare a material incident? Who can shut down a system? Who speaks publicly, and using which pre-approved messaging?

Board-level CIRP governance requires:

  • Approving the contingency planning policy and escalation thresholds
  • Ensuring adequate resources for testing and maintenance
  • Receiving plain-language reporting on CIRP readiness and exercise outcomes
  • Understanding the threshold at which the board itself must be notified and engaged

Board-level CIRP governance obligations across three organizational tiers comparison

Regulatory expectations make this concrete. The SEC's 2023 cybersecurity disclosure rules require public companies to disclose material cybersecurity incidents via Form 8-K within four business days of determining materiality — and to describe board oversight of cybersecurity risks in annual filings. HIPAA requires breach notification to affected individuals and HHS within 60 days of discovery. FFIEC examiners evaluate whether financial institutions have incorporated incident resilience planning into their business continuity processes.

None of these obligations can be met during an incident if escalation authority was never defined before the incident.

Closing the Governance Gap

Organizations without a seasoned CISO — or those navigating leadership transitions — frequently lack the internal capacity to translate SP 800-34 requirements into board-ready governance structures.

That gap is specific: technical teams can write procedures, but they rarely have the standing to establish board escalation thresholds, define what constitutes a material incident, or produce the disclosure playbook an audit committee needs.

Tyson Martin's advisory and interim CISO engagements target this gap directly. The 30-day deliverable is not a plan document — it is documented decision rights established before an incident tests them:

  • Who owns incident escalation
  • What triggers board notification
  • Who authorizes containment actions that affect operations
  • Who speaks externally and using which approved messaging

Common CIRP Mistakes That Leave Organizations Exposed

Treating the CIRP as a Compliance Artifact

The most damaging pattern: producing a document for an audit, filing it, and never testing whether it reflects how the organization actually operates. NIST SP 800-34 is direct on this point — testing validates recovery capabilities and identifies planning gaps. A plan that has never been exercised is a story, not a capability.

Under stress, people fall to their habits. If the habits were never built through practice, the plan is irrelevant.

Missing Communication and Legal Notification Protocols

CIRPs frequently omit or underspecify:

  • Who contacts regulators, under what timeline, and using which approved messaging
  • Who has authority to speak publicly — and what they can say before facts are confirmed
  • When outside legal counsel gets pulled in, and who makes that call
  • How privilege is preserved during forensic investigation

Under NIST SP 800-34, communication protocols are an explicit plan element. Organizations that improvise these decisions during an incident face delayed regulatory notifications, inconsistent public statements, and potential privilege complications — all of which compound the original damage.

Failing to Maintain the Plan After Changes

SP 800-34 Step 7 requires plans to be reviewed and updated at an organization-defined frequency and whenever significant changes occur. In practice, many organizations update their CIRP only when auditors ask.

The result: the plan references departed personnel, decommissioned systems, and response strategies that no longer match the current environment. An incident response team discovering mid-crisis that the escalation contact left the company six months ago is not a hypothetical — it is a predictable and avoidable outcome of skipping maintenance.

NIST's testing guidance prescribes exercises by system impact level — each designed to surface gaps before an attacker does:

NIST CIRP testing exercise types by system impact level tabletop functional full-scale

  • Tabletop exercises — minimum standard for lower-impact systems
  • Functional exercises — required for moderate-impact systems
  • Full-scale exercises — required for high-impact systems

Frequently Asked Questions

What is a cyber incident response plan (CIRP) and how does NIST define it?

A CIRP is one of eight plan types explicitly named in NIST SP 800-34, designed to enable security personnel to identify, mitigate, and recover from malicious computer incidents — including unauthorized access, denial of service, and unauthorized system changes. It sits alongside — but is distinct from — the ISCP, BCP, and DRP, each covering different triggers and recovery scopes.

What is NIST SP 800-34?

NIST SP 800-34 Rev. 1 is NIST's Contingency Planning Guide for Federal Information Systems — a framework providing a seven-step process for developing, testing, and maintaining contingency plans including the CIRP. While developed for federal agencies under FISMA, NIST explicitly states its principles may be used voluntarily by private and commercial organizations.

What are the phases in an incident response plan according to NIST SP 800-61?

NIST SP 800-61 Rev. 2 defines four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. NIST SP 800-34 establishes the governance layer — policy, authority, and plan structure — within which those operational procedures run.

How is NIST SP 800-34 different from NIST SP 800-61 for incident response purposes?

NIST SP 800-34 sets the governance framework — policy, authority, plan types, and maintenance requirements. NIST SP 800-61 provides the operational step-by-step incident handling procedures. In practice, SP 800-34 defines who has authority to act; SP 800-61 defines what to do with it.

Who is responsible for owning and governing the CIRP within an organization?

Responsibility is shared across three tiers: the board or audit committee approves policy and escalation thresholds; the CISO leads development and execution; and the CEO, COO, and General Counsel own operational decisions during an active incident. When those roles are undefined, decisions default to whoever is available — not whoever has authority.

How often should a CIRP be tested and updated under NIST SP 800-34?

NIST SP 800-34 requires regular testing and maintenance, with updates recommended at minimum annually and after any major incident, system change, or personnel change. Tabletop exercises meet the threshold for lower-impact systems; functional and full-scale exercises are required for moderate and high-impact systems respectively.