IR plan maturity assessment across all four NIST 800-61 phases
The Incident Response Auditor evaluates organizational IR plans against NIST SP 800-61 Rev 3 (Computer Security Incident Handling Guide) and CISA incident response guidelines. It assesses maturity across all four IR phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. The auditor produces maturity scores, gap analysis, and actionable readiness checklists.
Ensure your incident response plan is in Markdown or text format. The auditor analyzes the document structure and content for completeness.
# Verify the IR plan is accessible
cat /docs/incident_response_plan.md | head -20Execute the auditor against your IR plan. It will assess each of the four NIST 800-61 phases and produce a maturity report.
python3 ir_audit.py \
--ir-plan /docs/incident_response_plan.md \
--output /reports/ir_audit.mdProduce a standalone checklist that can be used for tabletop exercises and IR drills.
python3 ir_audit.py \
--ir-plan /docs/incident_response_plan.md \
--checklist-only \
--output /reports/ir_checklist.mdFeed critical IR gaps into the consolidated risk register.
python3 risk_report.py add-risk \
--project my-audit \
--title 'IR Plan Missing Supply Chain Procedures' \
--source ir-audit \
--likelihood 3 --impact 4 \
--control IR-4Perform a complete maturity assessment across all four NIST 800-61 phases.
python3 ir_audit.py --ir-plan ir_plan.md --output ir_audit_report.mdIncident Response Readiness Audit ═══════════════════════════════════ Phase 1 - Preparation: 87.5% (7/8 requirements) Phase 2 - Detection/Analysis: 83.3% (5/6 requirements) Phase 3 - Containment/Eradication: 80.0% (4/5 requirements) Phase 4 - Post-Incident: 66.7% (4/6 requirements) Overall IR Maturity: 80.6% CISA Compliance: 76.0% Critical Gaps: 5 items requiring attention Report saved to: ir_audit_report.md
# Incident Response Readiness Audit
**Date:** 2026-03-01 | **Framework:** NIST SP 800-61 Rev 3
## Phase Maturity Scores
| Phase | Score | Status |
|-------|-------|--------|
| 1. Preparation | 87.5% | ✅ Strong |
| 2. Detection & Analysis | 83.3% | ✅ Strong |
| 3. Containment/Eradication/Recovery | 80.0% | ⚠️ Adequate |
| 4. Post-Incident Activity | 66.7% | ⚠️ Needs Improvement |
| **Overall** | **80.6%** | **⚠️ Adequate** |
## Critical Gaps
1. ❌ No supply chain incident procedures (CISA requirement)
2. ❌ No automated indicator sharing (NIST 800-61 §3.2.4)
3. ❌ Lessons learned process not formalized
4. ❌ No metrics/KPIs for IR effectiveness
5. ❌ Missing cross-functional communication templates## Phase 1: Preparation Checklist
- [x] IR team roles and responsibilities defined
- [x] Contact information for IR team members
- [x] Escalation procedures documented
- [x] Communication templates prepared
- [x] IR tools and resources identified
- [x] Training program established
- [x] Legal/compliance notification requirements
- [ ] Supply chain incident procedures ← GAPDevelop, document, and disseminate incident response policy and procedures.
Provide incident response training to system users.
Implement an incident handling capability for incidents.
Track and document incidents on an ongoing basis.
Require personnel to report suspected incidents to the organizational incident response capability.
Develop an incident response plan that provides a roadmap for implementing the incident response capability.