NIST Rewrote the Cyber-Incident Playbook — and Retired the Four-Phase Lifecycle.

For more than a decade, almost every U.S. cybersecurity team learned the same four steps for responding to a breach: prepare, detect, contain, and clean up. That sequence came from a single government document — NIST Special Publication 800-61 — and it shaped incident-response plans across federal agencies, hospitals, banks, and contractors.

That playbook has now been rewritten. On April 3, 2025, the National Institute of Standards and Technology published SP 800-61 Revision 3 — its first major overhaul since 2012 — and quietly retired the familiar four-phase lifecycle. In its place, NIST mapped incident response onto the six functions of the Cybersecurity Framework (CSF) 2.0: Govern, Identify, Protect, Detect, Respond, and Recover.

This is an explainer, not breaking news: the document has been final for over a year and is the current standard most U.S. organizations build on. But its implications are still working their way through security teams — especially as attacks and defenses both lean harder on AI. Here is what changed, and why it matters.

• 6 functions — the CSF 2.0 functions that now organize incident response — Govern, Identify, Protect, Detect, Respond, Recover — replacing the old four-phase lifecycle · Source: NIST CSRC SP 800-61r3
• April 3, 2025 — the publication date of SP 800-61 Revision 3, the final version of the new guidance · Source: NIST.gov News
• 2012 → 2025 — the gap since Revision 2, the prior 'Computer Security Incident Handling Guide' that Rev 3 supersedes · Source: NIST CSRC
• Community Profile — Rev 3 is framed as a CSF 2.0 'Community Profile' — a tailored view of the framework rather than a stand-alone process · Source: NIST CSRC; Industrial Cyber
• Continuous — incident response is reframed as an ongoing, embedded practice within risk management — not a one-off triggered only by a breach · Source: Inside Privacy (Covington)

NIST is the federal standards body whose cybersecurity publications, while voluntary for most of the private sector, function as the de facto baseline for U.S. organizations — and are mandatory for many federal systems. SP 800-61 is its guidance on how to handle a cyber incident: a confirmed or suspected breach, intrusion, or compromise. The 2012 edition, Revision 2, was titled the Computer Security Incident Handling Guide, and its four-step lifecycle — preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity — became boilerplate in incident-response plans everywhere.

Revision 3 keeps the mission but changes the shape. Its formal title — Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile — signals the shift: incident response is no longer a self-contained process but a tailored view, or “profile,” of the broader Cybersecurity Framework.

Keep Reading

AI · Deals

SpaceX to Buy AI Coding Startup Cursor (Anysphere) for $60 Billion

Read →

The four-phase model was easy to teach and easy to put in a binder, but it carried an implicit assumption: that incident response is a discrete event with a beginning and an end. You prepared, you waited, you responded, and you wrote it up. In practice, modern security operations rarely sit still — detection, hardening, and recovery run continuously, often in parallel, and the line between “normal operations” and “an incident” is blurry.

Revision 3 drops the linear phases entirely. Rather than march a team through four boxes, it distributes incident-response activities across the six CSF 2.0 functions, so that the work of governing, protecting, and detecting is understood as ongoing — not something that only kicks in after the alarm sounds.

The Cybersecurity Framework, first released in 2014, is one of NIST’s most widely adopted products — used by organizations of every size as a common language for managing cyber risk. CSF 2.0, finalized in 2024, added the Govern function to stress that cybersecurity is a leadership and risk-management responsibility, not just a technical one.

By framing Revision 3 as a CSF 2.0 “Community Profile,” NIST lets incident response inherit that ecosystem: the same vocabulary, the same mappings to controls, and the large library of resources organizations already use for the framework. For a team that has already adopted CSF 2.0, incident response stops being a separate silo and becomes one more view of a system they know.

Keep Reading

AI · Security

An AWS Breach at Braintrust Exposed the Keys to Customers' AI Stacks

Read →

The deeper change is conceptual. Revision 3 reframes incident response as a continuous, embedded practice — a loop of preparation, learning, and improvement woven into an organization’s ongoing risk management, rather than a procedure that activates only when something breaks. Lessons from one event feed directly back into governance and protective controls, so the program gets sharper over time.

Practitioner write-ups from firms like Covington, Industrial Cyber, and Drata read the new document the same way: the emphasis moves from “follow these steps during an incident” to “build a resilient program that is always ready, always watching, and always improving.” That is a meaningful posture shift for any security team that still treats its incident-response plan as a binder pulled off the shelf in an emergency.

The timing connects to a fast-moving threat landscape. Attackers increasingly use AI to accelerate reconnaissance, craft convincing phishing, and adapt during an intrusion; defenders, in turn, lean on AI for detection, triage, and automated response. A rigid four-phase checklist fits that world poorly. A continuous, risk-management-anchored model — one that assumes detection and response are always on — maps far better to security operations where machine speed is now part of both offense and defense.

None of this makes Revision 3 an “AI standard.” It does not prescribe specific tools or models. But by tying incident response to a living framework rather than a fixed sequence, NIST gave organizations a structure that can absorb new techniques — AI-driven or otherwise — without needing another full rewrite each time the threat picture changes.

SP 800-61 Revision 3 is less a new set of rules than a new mental model. The four-phase lifecycle that a generation of security professionals memorized is gone, replaced by incident response woven into the six functions of CSF 2.0 and treated as a continuous part of managing risk. For organizations already standardized on the framework, it is a natural fit; for those still running a static four-step plan, it is an invitation to rethink. Either way, it is the guidance the rest of the U.S. cybersecurity world will increasingly be measured against.

“Incident response is no longer a separate process you start when something breaks — it is a continuous part of how an organization governs and manages cyber risk.”

A plain-language summary of SP 800-61 Rev. 3's central shift

More From Civic Intelligence

AI · Hardware

NVIDIA Brings Its Superchip Architecture to the Windows PC

RTX Spark pairs a 6,144-core Blackwell GPU with a 20-core Grace CPU and up to 128 GB of unified…

AI · Privacy · Copyright · Litigation

OpenAI vs the New York Times: The Fight Over Your ChatGPT Logs

The New York Times' December 2023 copyright suit against OpenAI and Microsoft (SDNY, before Judge…

Last updated June 20, 2026