RS.AN-06
Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved
Implementation examples
- Ex1: Require each incident responder and others (e.g., system administrators, cybersecurity engineers) who perform incident response tasks to record their actions and make the record immutable
- Ex2: Require the incident lead to document the incident in detail and be responsible for preserving the integrity of the documentation and the sources of all information being reported
Mapped NIST 800-53 r5 controls (3)
Mapped CWE weaknesses (2)
Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.
All informative references (33)
- CRI Profile v2.0: RS.AN-06
- CRI Profile v2.0: RS.AN-06.01
- CSF v1.1: RS.AN-3
- Guardian-SDK: GS-CF-02
- ISO/IEC 27001:2022: Mandatory Clause: None
- ISO/IEC 27001:2022: Annex A Controls: 5.28
- NICE Framework: IO-WRL-001
- NICE Framework: IO-WRL-002
- NICE Framework: IO-WRL-003
- NICE Framework: IO-WRL-006
- NICE Framework: PD-WRL-002
- NICE Framework: PD-WRL-003
- NICE Framework: PD-WRL-004
- PCI DSS: 10.3.2
- PCI DSS: 10.3.1
- PCI DSS: 10.3.3
- PCI DSS: 10.3.4
- PCI DSS: 10.6.1
- PCI DSS: 10.5.1
- SCF: IRO-02
- SCF: IRO-08
- SCF: IRO-09
- SDOS: SDOS-AU-01
- SDOS: SDOS-AU-03
- SP 800-171 Rev 3: 03.03.06
- SP 800-171 Rev 3: 03.06.01
- SP 800-171 Rev 3: 03.06.02
- SP 800-53 Rev 5.1.1: AU-07
- SP 800-53 Rev 5.1.1: IR-04
- SP 800-53 Rev 5.1.1: IR-06
- SP 800-53 Rev 5.2.0: AU-07
- SP 800-53 Rev 5.2.0: IR-04
- SP 800-53 Rev 5.2.0: IR-06
Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).