NIST CSF 2.0 · All Functions · RS Respond · RS.AN Incident Analysis

RS.AN-03

Analysis is performed to establish what has taken place during an incident and the root cause of the incident

Implementation examples

Ex1: Determine the sequence of events that occurred during the incident and which assets and resources were involved in each event
Ex2: Attempt to determine what vulnerabilities, threats, and threat actors were directly or indirectly involved in the incident
Ex3: Analyze the incident to find the underlying, systemic root causes
Ex4: Check any cyber deception technology for additional information on attacker behavior

Mapped NIST 800-53 r5 controls (3)

Mapped CWE weaknesses (3)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-179→P CWE-223←P CWE-778→P

All informative references (38)

AI-SOC: AI-SOC-23
AI-SOC: AI-SOC-13
CCMv4.0: SEF-06
CIS Controls v8.0: 17.8
CIS Controls v8.1: 17.8
CRI Profile v2.0: RS.AN-03
CRI Profile v2.0: RS.AN-03.01
CSF v1.1: RS.AN-3
CoP: D4
ISO/IEC 27001:2022: Mandatory Clause: None
ISO/IEC 27001:2022: Annex A Controls: 5.25
ISO/IEC 27001:2022: Annex A Controls: 5.27
NICE Framework: IO-WRL-001
NICE Framework: IO-WRL-003
NICE Framework: IO-WRL-006
NICE Framework: OG-WRL-012
NICE Framework: PD-WRL-002
NICE Framework: PD-WRL-003
NICE Framework: PD-WRL-004
OWASP Top 10 LLM Applications: LLM01-2025
OWASP Top 10 LLM Applications: LLM04-2025
OWASP Top 10 LLM Applications: LLM05-2025
PCI DSS: 10.2.1
PCI DSS: 10.4.1
PCI DSS: 6.3.1
PCI DSS: 10.2.2
SCF: IRO-13
SDOS: SDOS-AU-01
SDOS: SDOS-AU-02
SDOS: SDOS-DE-02
SDOS: SDOS-RS-01
SP 800-171 Rev 3: 03.03.06
SP 800-171 Rev 3: 03.06.01
SP 800-53 Rev 5.1.1: AU-07
SP 800-53 Rev 5.1.1: IR-04
SP 800-53 Rev 5.2.0: AU-07
SP 800-53 Rev 5.2.0: IR-04
SP 800-53 Rev 5.2.0: SI-02(07)

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).