RS.MI-2: Incident Mitigation – NIST Cybersecurity Framework
Incident mitigation is your organization's ability to contain and reduce the impact of confirmed security incidents. NIST RS.MI-2 requires you to have documented processes and capabilities to execute mitigation actions that limit damage, prevent escalation, and restore normal operations as quickly as possible.
What this means
RS.MI-2 requires your organization to actively reduce the scope and impact of confirmed security incidents through pre-planned, documented mitigation actions. This means having defined procedures to isolate affected systems, halt malicious activity, preserve forensic evidence, and initiate recovery steps. Mitigation must be coordinated across technical, operational, and management teams to ensure containment is effective and aligned with your incident response plan.
How to comply
- 1.Develop and document incident mitigation procedures that address common attack vectors and threat scenarios relevant to your industry
- 2.Define clear mitigation workflows that specify who approves isolation decisions, which systems can be disconnected, and communication protocols during containment
- 3.Establish automated or manual controls to isolate compromised systems, disable accounts, revoke credentials, or segment network traffic within minutes of confirmation
- 4.Create playbooks for specific incident types (ransomware, data exfiltration, insider threat) with pre-authorized mitigation actions
- 5.Test mitigation procedures quarterly through incident response drills and tabletop exercises with relevant stakeholders
- 6.Document and track all mitigation actions taken during incidents, including timing, authorization, and outcomes for post-incident review
Evidence auditors look for
- Incident response plan with defined mitigation procedures and escalation paths
- Network segmentation diagrams showing isolation zones and controls
- Incident tickets or logs showing mitigation actions executed within defined timeframes
- Evidence of system isolation: screenshots of network disconnections, account disables, or firewall rule changes
- Incident response drill reports with mitigation team participation and timing metrics
- Authorized contact lists and decision authority documentation for emergency mitigation approval
- Runbooks or playbooks specific to high-risk incident scenarios with pre-approved mitigation steps
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates incident tracking and mitigation workflow documentation, reducing response time and ensuring every mitigation action is logged with timestamps and approvals for instant audit evidence.
See how GRCWatch handles this control automatically
Start free trial