Framework Category
Incident Mitigation
Incident Mitigation focuses on minimizing damage by containing and eradicating incidents.
It also addresses newly discovered vulnerabilities through mitigation or formal risk acceptance.
Implementation Questions
RS.MI-01
Incidents are contained
Do your cybersecurity technologies and security features in other systems automatically perform containment actions when threats are detected?
Automatic containment actions are security measures that isolate or restrict potentially malicious activities without requiring manual intervention. Examples include antivirus software automatically quarantining infected files, firewalls blocking suspicious network traffic, intrusion prevention systems terminating suspicious connections, and endpoint protection platforms isolating compromised devices from the network.
Does your incident response process allow responders to manually select and execute containment actions during security incidents?
Effective incident response requires the ability for responders to make real-time decisions about how to contain threats based on the specific nature of each incident.
Does your organization have formal agreements with third parties (e.g., ISPs, MSSPs) authorizing them to perform containment actions during security incidents?
Third-party containment authority is under review, namely whether formal agreements let parties like ISPs or MSSPs take containment actions during your security incidents. Such arrangements can be crucial during critical incidents when internal resources may be overwhelmed or when specialized expertise is required for effective containment.
Does your organization automatically transfer compromised endpoints to a remediation VLAN for isolation and remediation?
Automatically moving compromised endpoints to a separate remediation VLAN helps contain potential security incidents by isolating the affected device from the rest of the network.
RS.MI-02
Incidents are eradicated
Does your organization implement automated eradication capabilities within cybersecurity technologies and security features of other technologies?
Automated eradication capabilities allow systems to automatically remove or neutralize identified threats without requiring manual intervention. Examples include anti-malware solutions that automatically quarantine or delete malicious files, intrusion prevention systems that block malicious traffic, and operating systems that automatically remove unauthorized applications or revert to secure configurations.
Does your incident response system allow authorized responders to manually select and execute eradication actions during security incidents?
Hands-on control during eradication is what reviewers want to verify, namely whether authorized responders can manually select and execute actions to remove threats during an incident. Manual eradication capabilities are crucial when automated responses are insufficient or when incidents require human judgment to determine the most appropriate remediation approach without causing operational disruptions.
Does your organization have formal agreements in place with third-party security providers to perform incident eradication actions on your behalf?
Third-party security providers (such as Managed Security Service Providers) can offer specialized expertise and resources for eradicating security incidents that may exceed internal capabilities. These arrangements should clearly define the scope of authority, procedures, and communication protocols for when and how third parties can take eradication actions within your environment.
RS.MI-03
Newly identified vulnerabilities are mitigated or documented as accepted risks
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

