GRCWatch
Sign inStart free trial

RS.MI-1: Incident Containment — NIST Cybersecurity Framework

Incident containment is your critical defense against breach escalation. NIST RS.MI-1 requires organizations to actively limit the scope and impact of detected security incidents. Without containment procedures, a minor breach can spiral into organizational crisis.

What this means

RS.MI-1 mandates that your organization establishes and executes containment procedures to stop active incidents from spreading. This control ensures incidents are isolated, damage is minimized, and investigation can proceed without further compromise. Containment is the bridge between detection and recovery—it's where rapid response prevents catastrophe.

How to comply

  1. 1.Define incident containment procedures for each incident severity level (critical, high, medium, low)
  2. 2.Establish clear isolation protocols for affected systems, networks, and user accounts
  3. 3.Document decision trees for when to escalate containment to full network segments vs. targeted remediation
  4. 4.Train incident response teams on containment techniques specific to your infrastructure and threat landscape
  5. 5.Test containment procedures quarterly through tabletop exercises and simulated breach scenarios
  6. 6.Maintain contact lists and playbooks for rapid containment activation (within 15-30 minutes of confirmed incident)
  7. 7.Implement technical controls (network segmentation, endpoint isolation, credential revocation) that support manual containment actions
  8. 8.Log all containment actions with timestamps, rationale, and effectiveness assessment for post-incident review

Evidence auditors look for

  • Incident response plan with documented containment procedures and escalation criteria
  • Network segmentation diagrams showing isolation zones and failover capabilities
  • Endpoint isolation playbook with step-by-step containment actions
  • Incident logs showing containment timeline, actions taken, and impact assessment
  • Tabletop exercise reports demonstrating team readiness for containment scenarios
  • Training records for incident response personnel on containment protocols
  • Technical documentation of isolation capabilities (network ACLs, EDR policies, account lockdown procedures)
  • Post-incident review documents analyzing containment effectiveness and lessons learned

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates incident timeline logging and containment action tracking, so your team captures evidence automatically while focusing on response speed—eliminating manual documentation delays that compromise audit readiness.

See how GRCWatch handles this control automatically

Start free trial

Related controls

RS.MI-2 (Incident Investigation and Analysis)RS.MI-3 (Incident Eradication and Recovery)DE.CM-1 (Detection Processes)PR.AT-1 (Awareness and Training)RC.RP-1 (Response Planning)